neconyd | fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe
Size

96KB
MD5

f0d13b0277df2e4993d830536d860510
SHA1

9341e18dcfe93ac48971fc0967383a919a036e63
SHA256

fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04
SHA512

94f134046f8761f808b30784f4e4496338812104ed1a0313746116b4b39e644cc7dd33df6d1d40e6f7c009f016a311ba118dac46e081d864f0d7f26df5eb2074
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:JGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
832	omsecor.exe
3048	omsecor.exe
868	omsecor.exe
3296	omsecor.exe
4660	omsecor.exe
2416	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 4560	5064	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	83
PID 832 set thread context of 3048	832	omsecor.exe	88
PID 868 set thread context of 3296	868	omsecor.exe	108
PID 4660 set thread context of 2416	4660	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3504	5064	WerFault.exe	82
3860	832	WerFault.exe	85
2800	868	WerFault.exe	107
1708	4660	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 4560	5064	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	83
PID 5064 wrote to memory of 4560	5064	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	83
PID 5064 wrote to memory of 4560	5064	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	83
PID 5064 wrote to memory of 4560	5064	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	83
PID 5064 wrote to memory of 4560	5064	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	83
PID 4560 wrote to memory of 832	4560	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	85
PID 4560 wrote to memory of 832	4560	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	85
PID 4560 wrote to memory of 832	4560	fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe	85
PID 832 wrote to memory of 3048	832	omsecor.exe	88
PID 832 wrote to memory of 3048	832	omsecor.exe	88
PID 832 wrote to memory of 3048	832	omsecor.exe	88
PID 832 wrote to memory of 3048	832	omsecor.exe	88
PID 832 wrote to memory of 3048	832	omsecor.exe	88
PID 3048 wrote to memory of 868	3048	omsecor.exe	107
PID 3048 wrote to memory of 868	3048	omsecor.exe	107
PID 3048 wrote to memory of 868	3048	omsecor.exe	107
PID 868 wrote to memory of 3296	868	omsecor.exe	108
PID 868 wrote to memory of 3296	868	omsecor.exe	108
PID 868 wrote to memory of 3296	868	omsecor.exe	108
PID 868 wrote to memory of 3296	868	omsecor.exe	108
PID 868 wrote to memory of 3296	868	omsecor.exe	108
PID 3296 wrote to memory of 4660	3296	omsecor.exe	110
PID 3296 wrote to memory of 4660	3296	omsecor.exe	110
PID 3296 wrote to memory of 4660	3296	omsecor.exe	110
PID 4660 wrote to memory of 2416	4660	omsecor.exe	112
PID 4660 wrote to memory of 2416	4660	omsecor.exe	112
PID 4660 wrote to memory of 2416	4660	omsecor.exe	112
PID 4660 wrote to memory of 2416	4660	omsecor.exe	112
PID 4660 wrote to memory of 2416	4660	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe
"C:\Users\Admin\AppData\Local\Temp\fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe
  C:\Users\Admin\AppData\Local\Temp\fa85e93d6bb10cd45da3d23881b838218ec90368e0c164f8f99ac0d5bdf64c04N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 256
        8⤵
        Program crash
        
        PID:1708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 296
        6⤵
        Program crash
        
        PID:2800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 296
      4⤵
      Program crash
      PID:3860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 288
  2⤵
  - Program crash
  PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 832 -ip 832
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 868 -ip 868
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4660 -ip 4660
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7cd476758541b9abbe02edcd54d4a836

SHA1
ae8723c9d482da8aa18ebf497178a9fe11bc5ef9

SHA256
16ef36cb323412ceb7e3c834bd874c053793c97d4f7273d3bab9aaf7fdb39baa

SHA512
99a4febf14aabe74298ea327776d97476a1bb2cfec8f8e213cf28d32a9d95df152b0145dae28d58fdf4cc635fc78c214eda49e96468ff6fba49a1c5245b62599

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0ae1cc98e9cdc7a7a4ae9043615e68c9

SHA1
08122a48414e92f60b82d2a87288e1ed721e9f8b

SHA256
e9fa7044528df787d676eaf27b4fd73185563ed004809e56b00969c8aa0ffd12

SHA512
5e041e85922aa7f8166d058a4b5cbfb551e65a698c1ccba00200e8e05d864883447f2e6100d5dc0e512714dc2babb42dad5312588f898f4724902452d3664735

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e4af23572a6266e91fe1ebeba1f3515f

SHA1
97a71e077ec877e04862766b5078b4339e2d4e0b

SHA256
e0ff5053d8957ded98c8afddfddefa509383a954379f8b8a1be4e82f39e98541

SHA512
46f59c21847517c1216f14754ad1d51b85013233a67772b7f34ab353d73613d5bde89b88e8673a987ae6d1471f4f0d27ea5b3abdbe1c6e0cbe8bb413556fe7b8

Download Submit
memory/832-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/832-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/868-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/868-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2416-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2416-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3296-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3296-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3296-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4660-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5064-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5064-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download