neconyd | 0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe
Size

96KB
MD5

5c0ec8ffb50b2d126ed6d9b45bd1f3f0
SHA1

c49b4b3a4800e2bf3c13e0b62d4c145e93a7e4ea
SHA256

0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3
SHA512

9552fb001804ed8fab4f7294eb88d8f52a756db6eacf3cecaa2eebfd838a21e99ab5a61c0e4c12ed3c25018c2b801fe6834329b90f7d8a7d09f46dd067b9764d
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:zGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2372	omsecor.exe
4688	omsecor.exe
1104	omsecor.exe
4972	omsecor.exe
4308	omsecor.exe
2296	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3240 set thread context of 4088	3240	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	82
PID 2372 set thread context of 4688	2372	omsecor.exe	87
PID 1104 set thread context of 4972	1104	omsecor.exe	100
PID 4308 set thread context of 2296	4308	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
728	3240	WerFault.exe	81
3036	2372	WerFault.exe	84
3256	1104	WerFault.exe	99
2884	4308	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4088	3240	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	82
PID 3240 wrote to memory of 4088	3240	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	82
PID 3240 wrote to memory of 4088	3240	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	82
PID 3240 wrote to memory of 4088	3240	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	82
PID 3240 wrote to memory of 4088	3240	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	82
PID 4088 wrote to memory of 2372	4088	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	84
PID 4088 wrote to memory of 2372	4088	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	84
PID 4088 wrote to memory of 2372	4088	0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe	84
PID 2372 wrote to memory of 4688	2372	omsecor.exe	87
PID 2372 wrote to memory of 4688	2372	omsecor.exe	87
PID 2372 wrote to memory of 4688	2372	omsecor.exe	87
PID 2372 wrote to memory of 4688	2372	omsecor.exe	87
PID 2372 wrote to memory of 4688	2372	omsecor.exe	87
PID 4688 wrote to memory of 1104	4688	omsecor.exe	99
PID 4688 wrote to memory of 1104	4688	omsecor.exe	99
PID 4688 wrote to memory of 1104	4688	omsecor.exe	99
PID 1104 wrote to memory of 4972	1104	omsecor.exe	100
PID 1104 wrote to memory of 4972	1104	omsecor.exe	100
PID 1104 wrote to memory of 4972	1104	omsecor.exe	100
PID 1104 wrote to memory of 4972	1104	omsecor.exe	100
PID 1104 wrote to memory of 4972	1104	omsecor.exe	100
PID 4972 wrote to memory of 4308	4972	omsecor.exe	102
PID 4972 wrote to memory of 4308	4972	omsecor.exe	102
PID 4972 wrote to memory of 4308	4972	omsecor.exe	102
PID 4308 wrote to memory of 2296	4308	omsecor.exe	104
PID 4308 wrote to memory of 2296	4308	omsecor.exe	104
PID 4308 wrote to memory of 2296	4308	omsecor.exe	104
PID 4308 wrote to memory of 2296	4308	omsecor.exe	104
PID 4308 wrote to memory of 2296	4308	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe
"C:\Users\Admin\AppData\Local\Temp\0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe
  C:\Users\Admin\AppData\Local\Temp\0908ab18b8b4c3c0b071059969539f6bc26c8286abf54eb09f7ed054233681c3N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 256
        8⤵
        Program crash
        
        PID:2884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 292
        6⤵
        Program crash
        
        PID:3256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 292
      4⤵
      Program crash
      PID:3036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 292
  2⤵
  - Program crash
  PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3240 -ip 3240
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2372 -ip 2372
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1104 -ip 1104
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4308 -ip 4308
1⤵
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
03a03e36c88e90eb18996fc9f40a17d1

SHA1
15aaa29e4e390dbfbff9e1a7ba3b71828f14fa60

SHA256
90a9e9b46f9cd558fd8dd144eb4b5f969b59a1f0a126dcc8227f25dec3f20d8a

SHA512
a71c4752da43751654939f16f11f7ff57943e1029b7b71fb0b6f79c7ca9e53a1d5a8446ddc8e656bc3a5503ba44edd52346dbf1b5addbaf8cee25c4c6341122e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
98783b8896e7211b405713c846ff9e43

SHA1
d709a4332d93471490a4eb4333fc23d93a426980

SHA256
902f6eff421b5a212c4790888171e404b5622d8152899eff555f21a66a6002c4

SHA512
33d02bcfabc7aa38acb1a9382085e2300666ebcfe6255e503b8c2a523f20d3b04375821ca60fa2759bb94d979275838fbbec21ec9f1c161193e73e9902c0884b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
cf7e947a3ea6060772b8b39c5aeb6f87

SHA1
dd1da3e6a376cd8c3539df98511950b884beb08c

SHA256
8269f759b34c39a4e876afe895c70bd0216eeffb6ea936b03fda967247193f92

SHA512
4ac5bce612d6fcf1760fc7a783c65a35475a0042e918ed8ac663571f83e16a973a1c80b38269d838df9656954a9287a2cfc0db4a044eeb38deb08f64c9501d64

Download Submit
memory/1104-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1104-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2296-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2372-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3240-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3240-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4088-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4088-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4088-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4088-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4308-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4688-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4688-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4688-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4688-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4688-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4688-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4688-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4972-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4972-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4972-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download