neconyd | 764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe
Size

96KB
MD5

07b7492e8fbdce79ab235211e06b1e73
SHA1

6ba6a7862a0b42f343deb2872ca599e1d41fdef3
SHA256

764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e
SHA512

8360139355212aaed503ec588d0ea1c1d3bc9c67f953ccf28d3c446ddb483f837b23591d79feedeca88135daa268d4fa9fc3f470a175c8ea59c92406434527bd
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxO:UGs8cd8eXlYairZYqMddH13O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1600	omsecor.exe
3600	omsecor.exe
3916	omsecor.exe
3952	omsecor.exe
2772	omsecor.exe
5000	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4396 set thread context of 3360	4396	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	83
PID 1600 set thread context of 3600	1600	omsecor.exe	88
PID 3916 set thread context of 3952	3916	omsecor.exe	107
PID 2772 set thread context of 5000	2772	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4732	4396	WerFault.exe	82
1168	1600	WerFault.exe	85
3876	3916	WerFault.exe	106
4972	2772	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3360	4396	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	83
PID 4396 wrote to memory of 3360	4396	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	83
PID 4396 wrote to memory of 3360	4396	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	83
PID 4396 wrote to memory of 3360	4396	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	83
PID 4396 wrote to memory of 3360	4396	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	83
PID 3360 wrote to memory of 1600	3360	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	85
PID 3360 wrote to memory of 1600	3360	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	85
PID 3360 wrote to memory of 1600	3360	764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe	85
PID 1600 wrote to memory of 3600	1600	omsecor.exe	88
PID 1600 wrote to memory of 3600	1600	omsecor.exe	88
PID 1600 wrote to memory of 3600	1600	omsecor.exe	88
PID 1600 wrote to memory of 3600	1600	omsecor.exe	88
PID 1600 wrote to memory of 3600	1600	omsecor.exe	88
PID 3600 wrote to memory of 3916	3600	omsecor.exe	106
PID 3600 wrote to memory of 3916	3600	omsecor.exe	106
PID 3600 wrote to memory of 3916	3600	omsecor.exe	106
PID 3916 wrote to memory of 3952	3916	omsecor.exe	107
PID 3916 wrote to memory of 3952	3916	omsecor.exe	107
PID 3916 wrote to memory of 3952	3916	omsecor.exe	107
PID 3916 wrote to memory of 3952	3916	omsecor.exe	107
PID 3916 wrote to memory of 3952	3916	omsecor.exe	107
PID 3952 wrote to memory of 2772	3952	omsecor.exe	109
PID 3952 wrote to memory of 2772	3952	omsecor.exe	109
PID 3952 wrote to memory of 2772	3952	omsecor.exe	109
PID 2772 wrote to memory of 5000	2772	omsecor.exe	111
PID 2772 wrote to memory of 5000	2772	omsecor.exe	111
PID 2772 wrote to memory of 5000	2772	omsecor.exe	111
PID 2772 wrote to memory of 5000	2772	omsecor.exe	111
PID 2772 wrote to memory of 5000	2772	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe
"C:\Users\Admin\AppData\Local\Temp\764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe
  C:\Users\Admin\AppData\Local\Temp\764113b926fee9a741c7029d91574f7ba428089e4a6e40f62bad10175400627e.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 268
        8⤵
        Program crash
        
        PID:4972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 292
        6⤵
        Program crash
        
        PID:3876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 300
      4⤵
      Program crash
      PID:1168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 288
  2⤵
  - Program crash
  PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4396 -ip 4396
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1600 -ip 1600
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3916 -ip 3916
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2772 -ip 2772
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3fc16f5d38462f69d006a6844fab7b03

SHA1
43db6a11554784c891dd8dc187263d5fc79e47be

SHA256
8d834b2edf5f60a9662bd074c5787ba78ef27174fe517df37dfdd4cc768176e5

SHA512
2258cca998cbb866e7c103b259ed0cc18e95b2dfa4333bf64d03f0fa6b05d9204a4359104b2fdfde42e9ed426b5b69476d15c9b8fe7ae06f76cc9a84d15cee0d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a698af3f9b61f8e7932b45896a6ad955

SHA1
0e99ca687850689b76dacdefbd13294acd2eacd3

SHA256
f87969c53298da45732b7d417c2cd91ae75f1a56c89717342d113bbf81d52491

SHA512
c9f96c2a32ab090d2b557781f6a3906238fbc45ef3e53b8d5e12c505b6b5422b7cef9d567c8b4331dbd1447620072d2438e037b51dd01a65062ba6ea95c2428f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2b6419866dd847734254b0a7553c17c1

SHA1
b173de85605e9ccb63336a49cee53990ec268b8c

SHA256
cf80563ba91b643d15730fa2aa1faf1ef973aa6b39c92f51e491c7ba334c6dba

SHA512
c3fe1c612781c16950a876740ca81ea5bf73693f957f6d8f83c7d244269a289bbee9c7116975fcd5b5d4600dc6bcc7edfe547a52a664e5ba275cadecf3a145ef

Download Submit
memory/1600-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1600-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2772-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3360-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3360-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3360-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3360-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3600-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3600-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3600-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3600-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3600-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3600-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3600-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3916-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3916-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3952-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3952-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3952-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4396-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5000-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5000-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5000-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download