neconyd | ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
Size

96KB
MD5

8d3451b5deaebdda6578fba417dca760
SHA1

fe22f844f47eac7cd984de8718d19b751cd85d0b
SHA256

ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c
SHA512

7105663d1fe0c95bb73e547a3abd93158627b34982aabd0dbb18b8885c4023b9ac70bd58f282e26c4d03bbab8e2e90e0d5d2f01720360ff92a2e6b03d8b57b64
SSDEEP

1536:WnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:WGs8cd8eXlYairZYqMddH13x

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3928	omsecor.exe
2336	omsecor.exe
2128	omsecor.exe
4608	omsecor.exe
4760	omsecor.exe
3268	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3676 set thread context of 4276	3676	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	82
PID 3928 set thread context of 2336	3928	omsecor.exe	87
PID 2128 set thread context of 4608	2128	omsecor.exe	100
PID 4760 set thread context of 3268	4760	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4672	3676	WerFault.exe	81
4732	3928	WerFault.exe	85
3632	2128	WerFault.exe	99
1044	4760	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4276	3676	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	82
PID 3676 wrote to memory of 4276	3676	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	82
PID 3676 wrote to memory of 4276	3676	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	82
PID 3676 wrote to memory of 4276	3676	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	82
PID 3676 wrote to memory of 4276	3676	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	82
PID 4276 wrote to memory of 3928	4276	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	85
PID 4276 wrote to memory of 3928	4276	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	85
PID 4276 wrote to memory of 3928	4276	ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe	85
PID 3928 wrote to memory of 2336	3928	omsecor.exe	87
PID 3928 wrote to memory of 2336	3928	omsecor.exe	87
PID 3928 wrote to memory of 2336	3928	omsecor.exe	87
PID 3928 wrote to memory of 2336	3928	omsecor.exe	87
PID 3928 wrote to memory of 2336	3928	omsecor.exe	87
PID 2336 wrote to memory of 2128	2336	omsecor.exe	99
PID 2336 wrote to memory of 2128	2336	omsecor.exe	99
PID 2336 wrote to memory of 2128	2336	omsecor.exe	99
PID 2128 wrote to memory of 4608	2128	omsecor.exe	100
PID 2128 wrote to memory of 4608	2128	omsecor.exe	100
PID 2128 wrote to memory of 4608	2128	omsecor.exe	100
PID 2128 wrote to memory of 4608	2128	omsecor.exe	100
PID 2128 wrote to memory of 4608	2128	omsecor.exe	100
PID 4608 wrote to memory of 4760	4608	omsecor.exe	102
PID 4608 wrote to memory of 4760	4608	omsecor.exe	102
PID 4608 wrote to memory of 4760	4608	omsecor.exe	102
PID 4760 wrote to memory of 3268	4760	omsecor.exe	103
PID 4760 wrote to memory of 3268	4760	omsecor.exe	103
PID 4760 wrote to memory of 3268	4760	omsecor.exe	103
PID 4760 wrote to memory of 3268	4760	omsecor.exe	103
PID 4760 wrote to memory of 3268	4760	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
"C:\Users\Admin\AppData\Local\Temp\ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
  C:\Users\Admin\AppData\Local\Temp\ae6674adfc39acc7ad8dfca53adb2b2e344f8a3f2a65b2fb989f503d85f5e34c.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 256
        8⤵
        Program crash
        
        PID:1044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 292
        6⤵
        Program crash
        
        PID:3632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 300
      4⤵
      Program crash
      PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 288
  2⤵
  - Program crash
  PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3676 -ip 3676
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3928 -ip 3928
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2128 -ip 2128
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4760 -ip 4760
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
cfefbfbf26b9863a98471504d08f4bc0

SHA1
ff839e6eb32e39c2fb974fb70469ae29a36d9154

SHA256
3da1ecc3092d6a6fbe3885aaa27189d0ecb22f4e123d03ecf74a324c9b45860d

SHA512
f4152b28efd47bea66f2dad9df162b20c1362a6537ef24bccdd555e9e96e3e8db1b614aeb04749d7f2d3ef3360e8b742ca346a3b4b7aac4a8bdf3d3a740466fd

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
164ddcb8acb2f2563e49f91088200d20

SHA1
575ea078272d5c625875889b23d71e277a0026e4

SHA256
24afbaaf0bf6776cbdac202b0c572d5204a007caffb8793c8ad29cf172669888

SHA512
718c348dee1a953ea6ef9d252d9c36351e90f8fa20fbfa78f74e8bb385fd80bfe7897a05fbb9086875f4bdab9ed1554f576272d4c59457ccb56e01814d8b32bf

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d539f953773096c42ee8c0c710c041a2

SHA1
aab02a6db3af205e14550011d314ac7abc346b1a

SHA256
7d693085b4f92f8bc4959a6aed1028b4e10cb1c3650027dd3e9f86cb31fa3c2b

SHA512
9feb4567e1829b6b4a286efdb3a0e3cac56c217dfb1b96100d55a6c4a3eaa3d9aeacb4dd8137a394dd72da4e13b2b5981c4470fbcebe613e078d0d936d4c3a8b

Download Submit
memory/2128-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2128-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3268-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3268-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3268-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3268-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3676-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3676-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3928-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3928-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4276-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4276-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4276-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4276-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4760-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4760-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download