neconyd | 7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
Size

96KB
MD5

faba6b8efda574d5b206e71c9b0f0290
SHA1

f327efa0815365a06c2d7a32a9b0fdc8c814e59d
SHA256

7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670
SHA512

82bd7b26a497245203d5a02934d61407234814b8e3f4f369f77d9c16f805295678208f0e8681bf869deb60612dfaa522624c87567eb1330f7463d2bdbf82b515
SSDEEP

1536:AnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:AGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3748	omsecor.exe
1048	omsecor.exe
2368	omsecor.exe
4576	omsecor.exe
4668	omsecor.exe
4972	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 2164	4600	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	82
PID 3748 set thread context of 1048	3748	omsecor.exe	86
PID 2368 set thread context of 4576	2368	omsecor.exe	100
PID 4668 set thread context of 4972	4668	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3944	4600	WerFault.exe	81
3996	3748	WerFault.exe	84
4944	2368	WerFault.exe	99
1580	4668	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 2164	4600	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	82
PID 4600 wrote to memory of 2164	4600	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	82
PID 4600 wrote to memory of 2164	4600	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	82
PID 4600 wrote to memory of 2164	4600	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	82
PID 4600 wrote to memory of 2164	4600	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	82
PID 2164 wrote to memory of 3748	2164	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	84
PID 2164 wrote to memory of 3748	2164	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	84
PID 2164 wrote to memory of 3748	2164	7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe	84
PID 3748 wrote to memory of 1048	3748	omsecor.exe	86
PID 3748 wrote to memory of 1048	3748	omsecor.exe	86
PID 3748 wrote to memory of 1048	3748	omsecor.exe	86
PID 3748 wrote to memory of 1048	3748	omsecor.exe	86
PID 3748 wrote to memory of 1048	3748	omsecor.exe	86
PID 1048 wrote to memory of 2368	1048	omsecor.exe	99
PID 1048 wrote to memory of 2368	1048	omsecor.exe	99
PID 1048 wrote to memory of 2368	1048	omsecor.exe	99
PID 2368 wrote to memory of 4576	2368	omsecor.exe	100
PID 2368 wrote to memory of 4576	2368	omsecor.exe	100
PID 2368 wrote to memory of 4576	2368	omsecor.exe	100
PID 2368 wrote to memory of 4576	2368	omsecor.exe	100
PID 2368 wrote to memory of 4576	2368	omsecor.exe	100
PID 4576 wrote to memory of 4668	4576	omsecor.exe	102
PID 4576 wrote to memory of 4668	4576	omsecor.exe	102
PID 4576 wrote to memory of 4668	4576	omsecor.exe	102
PID 4668 wrote to memory of 4972	4668	omsecor.exe	103
PID 4668 wrote to memory of 4972	4668	omsecor.exe	103
PID 4668 wrote to memory of 4972	4668	omsecor.exe	103
PID 4668 wrote to memory of 4972	4668	omsecor.exe	103
PID 4668 wrote to memory of 4972	4668	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
"C:\Users\Admin\AppData\Local\Temp\7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
  C:\Users\Admin\AppData\Local\Temp\7abf0a72ea0bf1569b071fccfdc49e1001adf7c5ede23145f7b67cc24bf46670N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 268
        8⤵
        Program crash
        
        PID:1580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 292
        6⤵
        Program crash
        
        PID:4944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 288
      4⤵
      Program crash
      PID:3996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 288
  2⤵
  - Program crash
  PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4600 -ip 4600
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3748 -ip 3748
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2368 -ip 2368
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4668 -ip 4668
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
20e74b445aa4e11086a8ca4bc7002d07

SHA1
b15ebc9386b92a854dc4c84b36239067ef931199

SHA256
d7e5d86bf0fa1ea6a12c688d8bf647b914a1af67f429a13fd525c332aaf144d9

SHA512
566ca6306f764c6b6c487462c0ba2b667a9b9a190e0144545712c44b56fd27fbc50c5bfcc4bd268c28be69c265b8ccae3a3378dd46a207de7fbf61e66dc80d5c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
68eb1220585ba097197cb66d41e54b26

SHA1
6374d089eeb2c0ce3c75fed371b6a26dfd579591

SHA256
bf50d35bd54110196313dc58854973498b0b0cab4820876c30b147efb6ba7254

SHA512
f554336f5caa3b679b0fa327f8897c3b410645fb2862fe4c08f6396efa7d7c6a949f224e8f3748f99fcc1e3ca3e477c1cd0b981cab77fc70e8a6a3590a232943

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
faf797b9be31c99b853529b137f3e3c7

SHA1
56132408374fa2537fc1375127be98586600b324

SHA256
f45ad277f08ba4a12e8a25fbee956da4bac2ddf661e6f7efdb31eb7afb807f67

SHA512
d2e6ee4a8182ec64b19daa3f73d3c9818bb9bfbbcc3948e156c4aded30a97534aeaaba27a0563be00506dcb745135c5546b88bc59aeb23ade9304b8ee7c7925b

Download Submit
memory/1048-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2368-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3748-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4576-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4600-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4600-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4668-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4972-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4972-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4972-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download