neconyd | 0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe
Size

96KB
MD5

9c367121455f7c190a2b95b57eb4f580
SHA1

80aa31fc53a3b99bfeda3f4ba8234f2bd8de98ef
SHA256

0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28
SHA512

a419dc985d1188d35f9922d02baa73b86c9abdfba62293732d1caf9500940cc012f4ffba1aae87caede45d9772d90d8c0e8db6c419f3bfd9d5cd1605c126e8ac
SSDEEP

1536:gnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:gGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
5004	omsecor.exe
4572	omsecor.exe
5096	omsecor.exe
1792	omsecor.exe
4564	omsecor.exe
2356	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 1280	2584	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	83
PID 5004 set thread context of 4572	5004	omsecor.exe	88
PID 5096 set thread context of 1792	5096	omsecor.exe	108
PID 4564 set thread context of 2356	4564	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4876	2584	WerFault.exe	82
1628	5004	WerFault.exe	86
3536	5096	WerFault.exe	107
4592	4564	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1280	2584	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	83
PID 2584 wrote to memory of 1280	2584	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	83
PID 2584 wrote to memory of 1280	2584	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	83
PID 2584 wrote to memory of 1280	2584	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	83
PID 2584 wrote to memory of 1280	2584	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	83
PID 1280 wrote to memory of 5004	1280	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	86
PID 1280 wrote to memory of 5004	1280	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	86
PID 1280 wrote to memory of 5004	1280	0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe	86
PID 5004 wrote to memory of 4572	5004	omsecor.exe	88
PID 5004 wrote to memory of 4572	5004	omsecor.exe	88
PID 5004 wrote to memory of 4572	5004	omsecor.exe	88
PID 5004 wrote to memory of 4572	5004	omsecor.exe	88
PID 5004 wrote to memory of 4572	5004	omsecor.exe	88
PID 4572 wrote to memory of 5096	4572	omsecor.exe	107
PID 4572 wrote to memory of 5096	4572	omsecor.exe	107
PID 4572 wrote to memory of 5096	4572	omsecor.exe	107
PID 5096 wrote to memory of 1792	5096	omsecor.exe	108
PID 5096 wrote to memory of 1792	5096	omsecor.exe	108
PID 5096 wrote to memory of 1792	5096	omsecor.exe	108
PID 5096 wrote to memory of 1792	5096	omsecor.exe	108
PID 5096 wrote to memory of 1792	5096	omsecor.exe	108
PID 1792 wrote to memory of 4564	1792	omsecor.exe	110
PID 1792 wrote to memory of 4564	1792	omsecor.exe	110
PID 1792 wrote to memory of 4564	1792	omsecor.exe	110
PID 4564 wrote to memory of 2356	4564	omsecor.exe	112
PID 4564 wrote to memory of 2356	4564	omsecor.exe	112
PID 4564 wrote to memory of 2356	4564	omsecor.exe	112
PID 4564 wrote to memory of 2356	4564	omsecor.exe	112
PID 4564 wrote to memory of 2356	4564	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe
"C:\Users\Admin\AppData\Local\Temp\0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe
  C:\Users\Admin\AppData\Local\Temp\0970457ec5e1be106a356d6c657e11a6e5c4627724d74641915dd1dcd9698e28N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 268
        8⤵
        Program crash
        
        PID:4592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 292
        6⤵
        Program crash
        
        PID:3536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 276
      4⤵
      Program crash
      PID:1628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 288
  2⤵
  - Program crash
  PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2584 -ip 2584
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5004 -ip 5004
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5096 -ip 5096
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4564 -ip 4564
1⤵
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
bc48ebd967bcc79cee87e5449a0779a7

SHA1
d65fb78b128b1577a96b31c338939329a97860eb

SHA256
be81a49af8498591424d0373b556da5bb3b33e10d66c9b448ad4876ca40da91f

SHA512
d20d52614d3144e08fedd8de0249abf16c8ce3bcf8e7cf16f758c8a38300884fd9411a677ce1d47dfad2a6d186303168f422ea8b96e50cbb8f0c398e22f3a428

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
042e6d2f76a4b6dc1cd9160fb0477738

SHA1
6c529e1796a9bb4343e51efcb4e9179a87598e5d

SHA256
25951659ea125664d7125587ee82314a1815f66fe5da4831fb96ca73e9d567e9

SHA512
8baec220451eed3091dc728327db000b552421e7902baf00740368841a5c49c5a21d10603da7eb9ad485a680d9ce38b6136fdae551d6af48de830a06e4714dfc

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
64102be348f59fbdbe0ceccc325bb312

SHA1
c9bf7452a8fa0eb89b6562390138387b23be52ca

SHA256
aaa6d6a2e8810cd42cabaf86c86ceec29bf83afa486aa8608cc91f0e812e54ca

SHA512
dbcc1753848d0e3fc3c0d5b1ed38a401b2064dc264c974116cd2c3b8e3971f634d609d028ed15f964bed920af6699345d819dfdeca299956138c0eb013bcca6c

Download Submit
memory/1280-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1792-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2356-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4564-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4572-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4572-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4572-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4572-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4572-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4572-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4572-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5004-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5096-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5096-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download