neconyd | 66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1f

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
Size

134KB
MD5

da15a332b8cf2a85cbc1936c57bfc550
SHA1

b5037b8f1db6eba5bfff0be57f8a531f6bfcb78b
SHA256

66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1f
SHA512

5231cc1cf1e80fe4fa665c4ae8944da68c4d0bc0184af7b5b3adba025caaba1285cadb9dee3e49fb2b85cad03b34fb9b6c1cb4d98329d1662ada3396627df81c
SSDEEP

1536:gDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:WiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2232	omsecor.exe
2504	omsecor.exe
2744	omsecor.exe
3780	omsecor.exe
2076	omsecor.exe
1116	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 4756	4052	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	82
PID 2232 set thread context of 2504	2232	omsecor.exe	86
PID 2744 set thread context of 3780	2744	omsecor.exe	100
PID 2076 set thread context of 1116	2076	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4804	4052	WerFault.exe	81
2176	2232	WerFault.exe	84
3188	2744	WerFault.exe	99
628	2076	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4756	4052	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	82
PID 4052 wrote to memory of 4756	4052	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	82
PID 4052 wrote to memory of 4756	4052	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	82
PID 4052 wrote to memory of 4756	4052	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	82
PID 4052 wrote to memory of 4756	4052	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	82
PID 4756 wrote to memory of 2232	4756	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	84
PID 4756 wrote to memory of 2232	4756	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	84
PID 4756 wrote to memory of 2232	4756	66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe	84
PID 2232 wrote to memory of 2504	2232	omsecor.exe	86
PID 2232 wrote to memory of 2504	2232	omsecor.exe	86
PID 2232 wrote to memory of 2504	2232	omsecor.exe	86
PID 2232 wrote to memory of 2504	2232	omsecor.exe	86
PID 2232 wrote to memory of 2504	2232	omsecor.exe	86
PID 2504 wrote to memory of 2744	2504	omsecor.exe	99
PID 2504 wrote to memory of 2744	2504	omsecor.exe	99
PID 2504 wrote to memory of 2744	2504	omsecor.exe	99
PID 2744 wrote to memory of 3780	2744	omsecor.exe	100
PID 2744 wrote to memory of 3780	2744	omsecor.exe	100
PID 2744 wrote to memory of 3780	2744	omsecor.exe	100
PID 2744 wrote to memory of 3780	2744	omsecor.exe	100
PID 2744 wrote to memory of 3780	2744	omsecor.exe	100
PID 3780 wrote to memory of 2076	3780	omsecor.exe	102
PID 3780 wrote to memory of 2076	3780	omsecor.exe	102
PID 3780 wrote to memory of 2076	3780	omsecor.exe	102
PID 2076 wrote to memory of 1116	2076	omsecor.exe	104
PID 2076 wrote to memory of 1116	2076	omsecor.exe	104
PID 2076 wrote to memory of 1116	2076	omsecor.exe	104
PID 2076 wrote to memory of 1116	2076	omsecor.exe	104
PID 2076 wrote to memory of 1116	2076	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
"C:\Users\Admin\AppData\Local\Temp\66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
  C:\Users\Admin\AppData\Local\Temp\66879b508276e9461d60f045aa18035a6fddc41cc0dfbdf761584110233d8a1fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 256
        8⤵
        Program crash
        
        PID:628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 296
        6⤵
        Program crash
        
        PID:3188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 296
      4⤵
      Program crash
      PID:2176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 288
  2⤵
  - Program crash
  PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4052 -ip 4052
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2232 -ip 2232
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2744 -ip 2744
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2076 -ip 2076
1⤵
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
1d65d84a4002e58f02765642b4867884

SHA1
faa74a125e87ed4e29314f441062acec269c2cec

SHA256
c2890bca0a904f6ace3dfcd6f0c18e4f551f8c8ce88a60525dd57cbbc5b2bd3e

SHA512
7725d9d8a09b7c4546c8522eb2c4e05ac5f0569b7f4d0366e4001c86dee024ec7a34a1b2f584e8f1b97b33de7118fbba54cb0f99b4a086a88862e1794bcd5b5d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
aac93333957ff73e37d29234e7ad42ec

SHA1
edb8eb7d719fc902587fc1d888bfbced9fcbe6da

SHA256
50f69b38b68ac43ad709758a6b74ca4b70dda2f4a00950017fed556d10460508

SHA512
ced3f480c3aaa952cea5ad0009be468b068af387b50adf8b5db0eb78929196975fd07ee17ce2f4e2527905a0339224880fe2d3e4a7a4ff0ee19cb58569e85130

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
d35a62acdc9a79444ab2b1dada2582cd

SHA1
90d898a15e9d0f6b281eea2298a75c8a9f25312a

SHA256
d846441b5dd41d636403e77cfcda92a54f0926e4a40a50777ab5733762483821

SHA512
e385c951f52097f15126b9871f2761ea97b6d382d9f31168d094fc925bceb9f8cfd90da89999570be8bf7060f51cc2d4c9c3b55d67721a2dcdbd7f4a3a993818

Download Submit
memory/1116-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1116-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1116-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2076-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2232-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2504-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2744-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2744-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3780-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3780-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3780-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4052-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4052-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4756-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4756-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4756-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4756-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download