neconyd | db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe
Size

96KB
MD5

e1f2feffb32ad90c16b392d37cb81d10
SHA1

cea01145aa04eb43b1f738dd590167114cb86b93
SHA256

db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519
SHA512

0b8c50233bc5179f6e55b20113746f651534520baec4b10def5d3939091fc521c3579584d8eb849138de9f1d83dc09c181689d9287ce410e08fa3b2511eb1dce
SSDEEP

1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:aGs8cd8eXlYairZYqMddH13q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2340	omsecor.exe
728	omsecor.exe
2356	omsecor.exe
2708	omsecor.exe
4872	omsecor.exe
2024	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3996 set thread context of 5004	3996	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	82
PID 2340 set thread context of 728	2340	omsecor.exe	86
PID 2356 set thread context of 2708	2356	omsecor.exe	100
PID 4872 set thread context of 2024	4872	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3860	2340	WerFault.exe	84
736	3996	WerFault.exe	81
1588	2356	WerFault.exe	99
3520	4872	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 5004	3996	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	82
PID 3996 wrote to memory of 5004	3996	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	82
PID 3996 wrote to memory of 5004	3996	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	82
PID 3996 wrote to memory of 5004	3996	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	82
PID 3996 wrote to memory of 5004	3996	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	82
PID 5004 wrote to memory of 2340	5004	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	84
PID 5004 wrote to memory of 2340	5004	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	84
PID 5004 wrote to memory of 2340	5004	db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe	84
PID 2340 wrote to memory of 728	2340	omsecor.exe	86
PID 2340 wrote to memory of 728	2340	omsecor.exe	86
PID 2340 wrote to memory of 728	2340	omsecor.exe	86
PID 2340 wrote to memory of 728	2340	omsecor.exe	86
PID 2340 wrote to memory of 728	2340	omsecor.exe	86
PID 728 wrote to memory of 2356	728	omsecor.exe	99
PID 728 wrote to memory of 2356	728	omsecor.exe	99
PID 728 wrote to memory of 2356	728	omsecor.exe	99
PID 2356 wrote to memory of 2708	2356	omsecor.exe	100
PID 2356 wrote to memory of 2708	2356	omsecor.exe	100
PID 2356 wrote to memory of 2708	2356	omsecor.exe	100
PID 2356 wrote to memory of 2708	2356	omsecor.exe	100
PID 2356 wrote to memory of 2708	2356	omsecor.exe	100
PID 2708 wrote to memory of 4872	2708	omsecor.exe	102
PID 2708 wrote to memory of 4872	2708	omsecor.exe	102
PID 2708 wrote to memory of 4872	2708	omsecor.exe	102
PID 4872 wrote to memory of 2024	4872	omsecor.exe	104
PID 4872 wrote to memory of 2024	4872	omsecor.exe	104
PID 4872 wrote to memory of 2024	4872	omsecor.exe	104
PID 4872 wrote to memory of 2024	4872	omsecor.exe	104
PID 4872 wrote to memory of 2024	4872	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe
"C:\Users\Admin\AppData\Local\Temp\db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe
  C:\Users\Admin\AppData\Local\Temp\db4f8711420185ac7f77c66c1d4a9a8f72959085f4dc6fa4fa494d13bad6b519N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:728
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 264
        8⤵
        Program crash
        
        PID:3520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 292
        6⤵
        Program crash
        
        PID:1588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 272
      4⤵
      Program crash
      PID:3860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 300
  2⤵
  - Program crash
  PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3996 -ip 3996
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2340 -ip 2340
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2356 -ip 2356
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4872 -ip 4872
1⤵
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ea39140604975c7f904cd7cbb67af112

SHA1
13dc031d592e8c21a6e180ed5414d99557ea013c

SHA256
5fa52fb5bd8e733f1fc4259fe6eb19bafb3a525db5469cb3e72fa612f690b513

SHA512
b268b95462a1d99c0444c3ad187bf633cca5cefb32e3081833c4e3c9ea024d5ceee935221d7dbaaa2aaac4d03047f8d7ce52320bb38fc8ae1aab49a62d1b8da2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9d1bba21601bbc7152012c79dc74e590

SHA1
6d396b0e30b52a9459b87f5d44577373f77a9261

SHA256
2b0dd385c35f9ae9aa061a8556ee25124eb4392e8f91d103f06765d78fb50e26

SHA512
d424461521a66bae8d259418e85f287be53c89982924a9389c68412aebc65e9c0fd5de72710e257eab54e00f65c9360664ce7ca3eaf36dfdf93db139c07467f3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7790810c98d5b637d2b872c5151e651e

SHA1
bbaba4a953d4e94c89bc21214f14d2d91fce8140

SHA256
da673be0a65836e00fe28e1e38cc1d06dc4a2ac9420bea859b30471f812d0d2e

SHA512
0155f403af6438e218b39287ded4b3bc0e110baa1656f281fe81f20a22658b24ab6bc63e23a6d98563b2f2531aaadccd0ba3f162a34fd483b449a5d60883f09e

Download Submit
memory/728-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/728-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/728-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/728-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/728-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/728-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/728-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2340-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2356-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2708-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3996-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3996-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4872-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4872-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5004-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download