neconyd | a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe
Size

96KB
MD5

69fb77d843534d1472a385245398dafc
SHA1

75877faa1f0af52e1421f6a1e7d354677ac7a7c6
SHA256

a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115
SHA512

079432c632d2b33f20fa8133f6282d56e5ae73271ba7ae716649e5fb243482777df227d35f3beb8dd09f084ee627d6993ee824fb68a973db7817c8a44b9b0e98
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:UGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3776	omsecor.exe
3248	omsecor.exe
3640	omsecor.exe
3552	omsecor.exe
444	omsecor.exe
1564	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 2028	2432	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	82
PID 3776 set thread context of 3248	3776	omsecor.exe	87
PID 3640 set thread context of 3552	3640	omsecor.exe	100
PID 444 set thread context of 1564	444	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
980	2432	WerFault.exe	81
2064	3776	WerFault.exe	85
2572	3640	WerFault.exe	99
5004	444	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2028	2432	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	82
PID 2432 wrote to memory of 2028	2432	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	82
PID 2432 wrote to memory of 2028	2432	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	82
PID 2432 wrote to memory of 2028	2432	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	82
PID 2432 wrote to memory of 2028	2432	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	82
PID 2028 wrote to memory of 3776	2028	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	85
PID 2028 wrote to memory of 3776	2028	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	85
PID 2028 wrote to memory of 3776	2028	a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe	85
PID 3776 wrote to memory of 3248	3776	omsecor.exe	87
PID 3776 wrote to memory of 3248	3776	omsecor.exe	87
PID 3776 wrote to memory of 3248	3776	omsecor.exe	87
PID 3776 wrote to memory of 3248	3776	omsecor.exe	87
PID 3776 wrote to memory of 3248	3776	omsecor.exe	87
PID 3248 wrote to memory of 3640	3248	omsecor.exe	99
PID 3248 wrote to memory of 3640	3248	omsecor.exe	99
PID 3248 wrote to memory of 3640	3248	omsecor.exe	99
PID 3640 wrote to memory of 3552	3640	omsecor.exe	100
PID 3640 wrote to memory of 3552	3640	omsecor.exe	100
PID 3640 wrote to memory of 3552	3640	omsecor.exe	100
PID 3640 wrote to memory of 3552	3640	omsecor.exe	100
PID 3640 wrote to memory of 3552	3640	omsecor.exe	100
PID 3552 wrote to memory of 444	3552	omsecor.exe	102
PID 3552 wrote to memory of 444	3552	omsecor.exe	102
PID 3552 wrote to memory of 444	3552	omsecor.exe	102
PID 444 wrote to memory of 1564	444	omsecor.exe	104
PID 444 wrote to memory of 1564	444	omsecor.exe	104
PID 444 wrote to memory of 1564	444	omsecor.exe	104
PID 444 wrote to memory of 1564	444	omsecor.exe	104
PID 444 wrote to memory of 1564	444	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe
"C:\Users\Admin\AppData\Local\Temp\a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe
  C:\Users\Admin\AppData\Local\Temp\a50868a33b92fa41f64f53507edc04a16621c8b26b9a7493954bb6a8dae95115.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 256
        8⤵
        Program crash
        
        PID:5004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 292
        6⤵
        Program crash
        
        PID:2572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 300
      4⤵
      Program crash
      PID:2064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 300
  2⤵
  - Program crash
  PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2432 -ip 2432
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3776 -ip 3776
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3640 -ip 3640
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 444 -ip 444
1⤵
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f3b4eb80deb0d38db1eacb0b0384b569

SHA1
3b188e1d16538c01db5121d19d0b4f651922f2e5

SHA256
c3aac8e88220837310912d943a3ba2907b6ff0665ca218b23ddc18d030073b66

SHA512
e897dfdcdec32b3a1b1b78bba462012b045a4426d26dbc3e7c6a7919fd9fefa3adf0d23a959c497b54eb3b2c73af452c0ac98373295c16b0d83451893555ca29

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
dbc84b54b4006fa99608520269c82ead

SHA1
11f23cd9bf4a28541c3a07b4ff05132b4a8185cd

SHA256
cf30815c3e03c2dc341f4808fb022a37611a2103e43648e9b7118264f4b18f3e

SHA512
717ba8ac54c48a28e7e514854d5ffbad536fb4eb1f74f91a492109ffabe19e83e8aa2e7819f1a76f7eb5ebf2e5c7bf0ed060a9e3f2eef8276ee43876e8385552

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2961ac7aed68f48c4023ae47b12835d8

SHA1
b622a9ff693b2f344cc46fbc3774ea8509875524

SHA256
22a886cd252a8af84cf37baa40efd7c88bfee05397cb2c651c81e18dd6c0e90e

SHA512
516f424009db0c3eccb39d2dad98c0146651e5e708f0f43b17e7a920d520a94f84e98e50d5c21d556d8dced564626c3e633dcee5114a57448a900d95836e8168

Download Submit
memory/444-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1564-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1564-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1564-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2432-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3248-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3248-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3248-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3248-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3248-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3248-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3248-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3640-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3640-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3776-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3776-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download