neconyd | 2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9feb

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
Size

96KB
MD5

f2ab66ceebeceabff99bd853e6bdbd40
SHA1

09c6e018602e6f0e53a422217780805da4f9d2e6
SHA256

2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9feb
SHA512

53a26b3c989df8abc526bbf0debe96c1500dc9f48557d446545a0236851822a249087d2c974522576bb63c395e04e220ab9d48f6d5c4257a8554da67e431d195
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:jGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
320	omsecor.exe
224	omsecor.exe
3660	omsecor.exe
2888	omsecor.exe
4268	omsecor.exe
4700	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 748	2004	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	83
PID 320 set thread context of 224	320	omsecor.exe	88
PID 3660 set thread context of 2888	3660	omsecor.exe	109
PID 4268 set thread context of 4700	4268	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4380	2004	WerFault.exe	82
3800	320	WerFault.exe	85
4580	3660	WerFault.exe	108
3084	4268	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 748	2004	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	83
PID 2004 wrote to memory of 748	2004	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	83
PID 2004 wrote to memory of 748	2004	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	83
PID 2004 wrote to memory of 748	2004	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	83
PID 2004 wrote to memory of 748	2004	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	83
PID 748 wrote to memory of 320	748	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	85
PID 748 wrote to memory of 320	748	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	85
PID 748 wrote to memory of 320	748	2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe	85
PID 320 wrote to memory of 224	320	omsecor.exe	88
PID 320 wrote to memory of 224	320	omsecor.exe	88
PID 320 wrote to memory of 224	320	omsecor.exe	88
PID 320 wrote to memory of 224	320	omsecor.exe	88
PID 320 wrote to memory of 224	320	omsecor.exe	88
PID 224 wrote to memory of 3660	224	omsecor.exe	108
PID 224 wrote to memory of 3660	224	omsecor.exe	108
PID 224 wrote to memory of 3660	224	omsecor.exe	108
PID 3660 wrote to memory of 2888	3660	omsecor.exe	109
PID 3660 wrote to memory of 2888	3660	omsecor.exe	109
PID 3660 wrote to memory of 2888	3660	omsecor.exe	109
PID 3660 wrote to memory of 2888	3660	omsecor.exe	109
PID 3660 wrote to memory of 2888	3660	omsecor.exe	109
PID 2888 wrote to memory of 4268	2888	omsecor.exe	111
PID 2888 wrote to memory of 4268	2888	omsecor.exe	111
PID 2888 wrote to memory of 4268	2888	omsecor.exe	111
PID 4268 wrote to memory of 4700	4268	omsecor.exe	112
PID 4268 wrote to memory of 4700	4268	omsecor.exe	112
PID 4268 wrote to memory of 4700	4268	omsecor.exe	112
PID 4268 wrote to memory of 4700	4268	omsecor.exe	112
PID 4268 wrote to memory of 4700	4268	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
"C:\Users\Admin\AppData\Local\Temp\2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
  C:\Users\Admin\AppData\Local\Temp\2042c2ad07ae6fd2441fc14389981d8646caecaa1d5abd753aab29feed6e9febN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 256
        8⤵
        Program crash
        
        PID:3084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 296
        6⤵
        Program crash
        
        PID:4580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 288
      4⤵
      Program crash
      PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 300
  2⤵
  - Program crash
  PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2004 -ip 2004
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 320 -ip 320
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3660 -ip 3660
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4268 -ip 4268
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ed8fb75b04b1f0418ea64cbaf4a3d751

SHA1
b16e84528a30b8778b42e40c3e732225f5c4db1a

SHA256
d3c2dbc921ba1784017566934a341b65772cb7ea35d336d678607896e0286e0b

SHA512
89a65e096740da41123380898f6ed494c890ceba65b9e2d6120823a10d10194f1416f7a7795c8217ad659e783039ebd67e5fc2e6a0839caaff0fed8566472651

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
63edf5322c4ee5a8d7def62eab97fc56

SHA1
414a77bbfa3eca14037725e980493bb44ed9f4d1

SHA256
4105eaba4546f9ca5105845383cda1e4fe7cc6d1710239772b55d646e1318d0d

SHA512
29ab47465a745fc0e402b16628a8c558c5f07ce32164f50c0831b90191d4fcb469a764f54b4c001f50ea1513829c32ec388bac1f4c86d4f899afbf481ef229b2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
77835cd9ea20b4955902c93b5a1e4859

SHA1
a607396594236529117c361500fd73ae9c153d99

SHA256
0dcc51149dc9f225b97ea5c430bfc2821dd5a185c5a90acc00c8caecc29bbf19

SHA512
d021598a764f81c1342382304f6c422c3e96b88e87bbc49da45693aaa131c196c0f2ad34bddc296604dccb93f38b29beb26098f485c5fea6ec2c060156336d9e

Download Submit
memory/224-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/224-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/224-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/224-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/224-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/224-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/224-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/320-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/320-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/748-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/748-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/748-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/748-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2004-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2004-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2888-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2888-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3660-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3660-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4268-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4700-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download