neconyd | c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe
Size

96KB
MD5

416900c00aff107ca4ebcb95c904ab90
SHA1

e49f6e08bdec302e5de3e63bd9b7365c0ff9384b
SHA256

c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8
SHA512

5e315c2a28108a27942d29938de790f21247f968bac7c6230091f58f2342af30cde865e14eb9a3c52db0f14770b10db6854302182180a9208e23542e4485381e
SSDEEP

1536:CnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:CGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
752	omsecor.exe
1956	omsecor.exe
3368	omsecor.exe
2628	omsecor.exe
2008	omsecor.exe
1468	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 1648	4856	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	85
PID 752 set thread context of 1956	752	omsecor.exe	90
PID 3368 set thread context of 2628	3368	omsecor.exe	112
PID 2008 set thread context of 1468	2008	omsecor.exe	116

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3188	4856	WerFault.exe	84
3888	752	WerFault.exe	88
1112	3368	WerFault.exe	111
1644	2008	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1648	4856	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	85
PID 4856 wrote to memory of 1648	4856	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	85
PID 4856 wrote to memory of 1648	4856	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	85
PID 4856 wrote to memory of 1648	4856	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	85
PID 4856 wrote to memory of 1648	4856	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	85
PID 1648 wrote to memory of 752	1648	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	88
PID 1648 wrote to memory of 752	1648	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	88
PID 1648 wrote to memory of 752	1648	c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe	88
PID 752 wrote to memory of 1956	752	omsecor.exe	90
PID 752 wrote to memory of 1956	752	omsecor.exe	90
PID 752 wrote to memory of 1956	752	omsecor.exe	90
PID 752 wrote to memory of 1956	752	omsecor.exe	90
PID 752 wrote to memory of 1956	752	omsecor.exe	90
PID 1956 wrote to memory of 3368	1956	omsecor.exe	111
PID 1956 wrote to memory of 3368	1956	omsecor.exe	111
PID 1956 wrote to memory of 3368	1956	omsecor.exe	111
PID 3368 wrote to memory of 2628	3368	omsecor.exe	112
PID 3368 wrote to memory of 2628	3368	omsecor.exe	112
PID 3368 wrote to memory of 2628	3368	omsecor.exe	112
PID 3368 wrote to memory of 2628	3368	omsecor.exe	112
PID 3368 wrote to memory of 2628	3368	omsecor.exe	112
PID 2628 wrote to memory of 2008	2628	omsecor.exe	114
PID 2628 wrote to memory of 2008	2628	omsecor.exe	114
PID 2628 wrote to memory of 2008	2628	omsecor.exe	114
PID 2008 wrote to memory of 1468	2008	omsecor.exe	116
PID 2008 wrote to memory of 1468	2008	omsecor.exe	116
PID 2008 wrote to memory of 1468	2008	omsecor.exe	116
PID 2008 wrote to memory of 1468	2008	omsecor.exe	116
PID 2008 wrote to memory of 1468	2008	omsecor.exe	116

C:\Users\Admin\AppData\Local\Temp\c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe
"C:\Users\Admin\AppData\Local\Temp\c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe
  C:\Users\Admin\AppData\Local\Temp\c8d24857d20b129b9a03b83bef5150bd5463918bfd56b879c1235590bbc2dff8N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3368
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 224
        8⤵
        Program crash
        
        PID:1644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 292
        6⤵
        Program crash
        
        PID:1112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 300
      4⤵
      Program crash
      PID:3888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 288
  2⤵
  - Program crash
  PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4856 -ip 4856
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 752 -ip 752
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3368 -ip 3368
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2008 -ip 2008
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ad4498b3a34fbb676b992f4f7be4f974

SHA1
f99006b04f785a43fd5d40c7d1659b14492c2190

SHA256
bc7d4b2986f6e144c83c070764cf0a909d5c43647ccfc0ce09b2b49ed7ee89ad

SHA512
bce13d6ef5fd78c7b740182b9e5674a296953a0116f6615a9f9db913fe5975ee80ccdbc1c59baaa6767fb9553a11a51992f586c7e3c51319e5c7c814221ff35d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d07cd5e5ccc012f7c242bbad657a3d67

SHA1
b64f54951cdcb3a5ce95d270fa9c507f26b51fc9

SHA256
096477902844f11721c59819d1fb852ba52effcf65326d6d1fb639ee24e577ca

SHA512
f21d449c64018d268e594a921643e92d00774b9d430f5bf30c66dcb19199395e24ed87e50cc46ecf402e5a2227577c8f16f1f634426a0065252182e49d461ea4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
0078735e65973c97736f0ace324e6ff1

SHA1
7f7ebd8b87346fdf98e5c507ebdd63ceb2d717a2

SHA256
a85b33e2359b4f0424361584ccbd947fd8f670e5a1310724507008452e19e61a

SHA512
188dc05d809cec42944d2f4ac9b904e1399dcfb27073c4723bb91a20112375cd2369a267d3257e4fc2de164c7ac1d47fabd04607c03008d30e77982499e9f4e7

Download Submit
memory/752-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/752-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2628-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3368-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3368-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4856-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4856-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download