neconyd | dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe
Size

96KB
MD5

546e3573ac5bff547811b44fb4ec56e0
SHA1

d0ea09b1c9554d0b59ecd0e87195297d82b7057c
SHA256

dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98
SHA512

bace3256111add09e8eb5399e0a0e1c80367fbdb7d86ecad8dc1fd217fe89ed1804b1402951335ed82657f37407d76c26653b68f6ab806390b925ff714f8ca9d
SSDEEP

1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:OGs8cd8eXlYairZYqMddH13q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2852	omsecor.exe
1344	omsecor.exe
2644	omsecor.exe
1216	omsecor.exe
3244	omsecor.exe
1412	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3480 set thread context of 4856	3480	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	82
PID 2852 set thread context of 1344	2852	omsecor.exe	87
PID 2644 set thread context of 1216	2644	omsecor.exe	100
PID 3244 set thread context of 1412	3244	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1788	3480	WerFault.exe	81
2776	2852	WerFault.exe	85
3620	2644	WerFault.exe	99
1180	3244	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4856	3480	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	82
PID 3480 wrote to memory of 4856	3480	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	82
PID 3480 wrote to memory of 4856	3480	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	82
PID 3480 wrote to memory of 4856	3480	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	82
PID 3480 wrote to memory of 4856	3480	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	82
PID 4856 wrote to memory of 2852	4856	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	85
PID 4856 wrote to memory of 2852	4856	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	85
PID 4856 wrote to memory of 2852	4856	dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe	85
PID 2852 wrote to memory of 1344	2852	omsecor.exe	87
PID 2852 wrote to memory of 1344	2852	omsecor.exe	87
PID 2852 wrote to memory of 1344	2852	omsecor.exe	87
PID 2852 wrote to memory of 1344	2852	omsecor.exe	87
PID 2852 wrote to memory of 1344	2852	omsecor.exe	87
PID 1344 wrote to memory of 2644	1344	omsecor.exe	99
PID 1344 wrote to memory of 2644	1344	omsecor.exe	99
PID 1344 wrote to memory of 2644	1344	omsecor.exe	99
PID 2644 wrote to memory of 1216	2644	omsecor.exe	100
PID 2644 wrote to memory of 1216	2644	omsecor.exe	100
PID 2644 wrote to memory of 1216	2644	omsecor.exe	100
PID 2644 wrote to memory of 1216	2644	omsecor.exe	100
PID 2644 wrote to memory of 1216	2644	omsecor.exe	100
PID 1216 wrote to memory of 3244	1216	omsecor.exe	102
PID 1216 wrote to memory of 3244	1216	omsecor.exe	102
PID 1216 wrote to memory of 3244	1216	omsecor.exe	102
PID 3244 wrote to memory of 1412	3244	omsecor.exe	104
PID 3244 wrote to memory of 1412	3244	omsecor.exe	104
PID 3244 wrote to memory of 1412	3244	omsecor.exe	104
PID 3244 wrote to memory of 1412	3244	omsecor.exe	104
PID 3244 wrote to memory of 1412	3244	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe
"C:\Users\Admin\AppData\Local\Temp\dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe
  C:\Users\Admin\AppData\Local\Temp\dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 260
        8⤵
        Program crash
        
        PID:1180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 292
        6⤵
        Program crash
        
        PID:3620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 300
      4⤵
      Program crash
      PID:2776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 288
  2⤵
  - Program crash
  PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3480 -ip 3480
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2852 -ip 2852
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2644 -ip 2644
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3244 -ip 3244
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7a0f0c4adaa1cc5cee225f5cc4ba03f2

SHA1
6f90c346c1b93df0b3f12ced78132b0afc15fbc4

SHA256
cf774d9f579ee6e9c84b266b183927aa7667ae8a3e8ebae0b42d50092edc6bc6

SHA512
c9f56c684a7419d06f548f86cbad012a99475264401977202cbd2fb072946bf18ca13eb594a8ba6ff2c184364da00c2fa6a71edfed2591f28a36f08999631f98

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b4149a7ebc97f13f2d9b920353ffebb6

SHA1
f8d8f620d32aca0e1640b7f5be7e50805cfea090

SHA256
e9ca927468c22be15bc83132fc53f33d838c001a26ecaf3ef01b83a13ca195bf

SHA512
8e4e2647acf719d47620e6c5b8eed202fdb10c4da2f9a770d70338ed7ec8f0cc49fd5e89a81418835f202b939889e3853e1f5dbce7dbb132c684dbba5e8b3353

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
f5d9493fc7db3db95548299f6693b6f9

SHA1
a432954ef6f0f45cbfd6157f53828d60a335843b

SHA256
f9f64d5a48602080e0258935bc60dcc39e72d9982e6d98f5bf4d3474c836aa7a

SHA512
e51c785a24bb4c3b705b12e63e7c6d5d40dd4f6009b7d6a55739839b5bb5080c94e562159bdf70261e746b8c7edf91c60343fae568dc0bbee27dbd6e11fe4055

Download Submit
memory/1216-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1216-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1216-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1344-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1344-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1344-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1344-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1344-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1344-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1344-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1412-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1412-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1412-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3244-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3244-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3480-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3480-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4856-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4856-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4856-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4856-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download