neconyd | 202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3deb

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
Size

134KB
MD5

622a24ded3eadc25a3f5f6fac27c8e60
SHA1

1d7fe49b2aae07c9cd77860f13b0eb753d3611e1
SHA256

202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3deb
SHA512

3a7919f01563396d1aab3fc2c2d05c4fa32c754c312daff21c5364e70a17d9264282b17a7bf2e494b864c94f6600eb6b876d5a5d7f19e0e0d2a0dbeffc7e46e8
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCin:SiRTeH0iqAW6J6f1tqF6dngNmaZCiaG

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2520	omsecor.exe
3112	omsecor.exe
1484	omsecor.exe
3652	omsecor.exe
4348	omsecor.exe
4512	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 1372	1608	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	83
PID 2520 set thread context of 3112	2520	omsecor.exe	87
PID 1484 set thread context of 3652	1484	omsecor.exe	111
PID 4348 set thread context of 4512	4348	omsecor.exe	115

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1792	2520	WerFault.exe	85
3012	1608	WerFault.exe	82
4688	1484	WerFault.exe	110
5088	4348	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1372	1608	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	83
PID 1608 wrote to memory of 1372	1608	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	83
PID 1608 wrote to memory of 1372	1608	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	83
PID 1608 wrote to memory of 1372	1608	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	83
PID 1608 wrote to memory of 1372	1608	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	83
PID 1372 wrote to memory of 2520	1372	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	85
PID 1372 wrote to memory of 2520	1372	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	85
PID 1372 wrote to memory of 2520	1372	202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe	85
PID 2520 wrote to memory of 3112	2520	omsecor.exe	87
PID 2520 wrote to memory of 3112	2520	omsecor.exe	87
PID 2520 wrote to memory of 3112	2520	omsecor.exe	87
PID 2520 wrote to memory of 3112	2520	omsecor.exe	87
PID 2520 wrote to memory of 3112	2520	omsecor.exe	87
PID 3112 wrote to memory of 1484	3112	omsecor.exe	110
PID 3112 wrote to memory of 1484	3112	omsecor.exe	110
PID 3112 wrote to memory of 1484	3112	omsecor.exe	110
PID 1484 wrote to memory of 3652	1484	omsecor.exe	111
PID 1484 wrote to memory of 3652	1484	omsecor.exe	111
PID 1484 wrote to memory of 3652	1484	omsecor.exe	111
PID 1484 wrote to memory of 3652	1484	omsecor.exe	111
PID 1484 wrote to memory of 3652	1484	omsecor.exe	111
PID 3652 wrote to memory of 4348	3652	omsecor.exe	113
PID 3652 wrote to memory of 4348	3652	omsecor.exe	113
PID 3652 wrote to memory of 4348	3652	omsecor.exe	113
PID 4348 wrote to memory of 4512	4348	omsecor.exe	115
PID 4348 wrote to memory of 4512	4348	omsecor.exe	115
PID 4348 wrote to memory of 4512	4348	omsecor.exe	115
PID 4348 wrote to memory of 4512	4348	omsecor.exe	115
PID 4348 wrote to memory of 4512	4348	omsecor.exe	115

C:\Users\Admin\AppData\Local\Temp\202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
"C:\Users\Admin\AppData\Local\Temp\202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
  C:\Users\Admin\AppData\Local\Temp\202257007295d6074ebcd93c9dd7ea1eda9402770f58f547c390555e707d3debN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 252
        8⤵
        Program crash
        
        PID:5088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 292
        6⤵
        Program crash
        
        PID:4688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 288
      4⤵
      Program crash
      PID:1792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 300
  2⤵
  - Program crash
  PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1608 -ip 1608
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2520 -ip 2520
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1484 -ip 1484
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4348 -ip 4348
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d4d610803b5052cafc828ddb482c6fbd

SHA1
ad137da6e7ea42d7b71cc7f3319a1ae21ef9dba3

SHA256
48b516f3894831842caa26b1ab0660f8740970bbd2718555f3748ab9a61cd6a9

SHA512
803d1896991035673cae6e75c3963dad6cf6e9aa660d8e975f8638c4610a35265ba3cd982645f0c1993fc1b6a1ed3cb28eaf4bdbb24648abb76fc80ef0d8df61

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
c124d97d03e9306b3e2620848821c030

SHA1
9b106f68e68131dfd04c0277d6e8cb5a3f482930

SHA256
1343c88c7be55524eb901074f95ad6caaa98e77cae7bb08cf8b4a749f130d673

SHA512
c335fd6b073edabed1c1050e485a348d13519800232600e0246622e85ea1c8dbbad2912a0bf276cda584d19a92874c6dbf19655fc526f5a69c378e3a4269aa43

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
6d212d59bc74a7637ea958a4893c0d93

SHA1
b7f96121e716bd5f37602896e3b5b49fe182006a

SHA256
ec4ab18a87532e02b5675d2c6fc1bdedcec7ad6efe47a610719bec055d46f3d1

SHA512
4e92ba2a57570b94a4c73ffe786d9e1a2083d7df6c13d0c6f07951e688c32af46499b11e8064c146513cd8da0c56092e935dc759755794b044d142536eb63d80

Download Submit
memory/1372-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1372-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1372-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1372-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1484-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1484-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1608-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1608-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2520-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2520-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3112-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3112-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4348-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4512-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download