neconyd | 80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07

Analysis

max time kernel
114s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Size

96KB
MD5

39752c4c63bf4b476d0112e272186b03
SHA1

c020dd4d1d84185880dc87b6426056b2c565879c
SHA256

80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07
SHA512

d8a023728118c10e0f4c47c085170264ab646fb2352acf03770da0a591216668c6f3a61d16abb8c1fe35e3484d9c3db63eddd17d6178353471814b8c4223bdbc
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:JGs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4936	omsecor.exe
4748	omsecor.exe
5008	omsecor.exe
4536	omsecor.exe
456	omsecor.exe
4452	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4476 set thread context of 3164	4476	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	82
PID 4936 set thread context of 4748	4936	omsecor.exe	87
PID 5008 set thread context of 4536	5008	omsecor.exe	100
PID 456 set thread context of 4452	456	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3520	4476	WerFault.exe	81
3256	4936	WerFault.exe	84
4660	5008	WerFault.exe	99
2500	456	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3164	4476	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	82
PID 4476 wrote to memory of 3164	4476	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	82
PID 4476 wrote to memory of 3164	4476	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	82
PID 4476 wrote to memory of 3164	4476	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	82
PID 4476 wrote to memory of 3164	4476	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	82
PID 3164 wrote to memory of 4936	3164	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	84
PID 3164 wrote to memory of 4936	3164	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	84
PID 3164 wrote to memory of 4936	3164	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	84
PID 4936 wrote to memory of 4748	4936	omsecor.exe	87
PID 4936 wrote to memory of 4748	4936	omsecor.exe	87
PID 4936 wrote to memory of 4748	4936	omsecor.exe	87
PID 4936 wrote to memory of 4748	4936	omsecor.exe	87
PID 4936 wrote to memory of 4748	4936	omsecor.exe	87
PID 4748 wrote to memory of 5008	4748	omsecor.exe	99
PID 4748 wrote to memory of 5008	4748	omsecor.exe	99
PID 4748 wrote to memory of 5008	4748	omsecor.exe	99
PID 5008 wrote to memory of 4536	5008	omsecor.exe	100
PID 5008 wrote to memory of 4536	5008	omsecor.exe	100
PID 5008 wrote to memory of 4536	5008	omsecor.exe	100
PID 5008 wrote to memory of 4536	5008	omsecor.exe	100
PID 5008 wrote to memory of 4536	5008	omsecor.exe	100
PID 4536 wrote to memory of 456	4536	omsecor.exe	102
PID 4536 wrote to memory of 456	4536	omsecor.exe	102
PID 4536 wrote to memory of 456	4536	omsecor.exe	102
PID 456 wrote to memory of 4452	456	omsecor.exe	104
PID 456 wrote to memory of 4452	456	omsecor.exe	104
PID 456 wrote to memory of 4452	456	omsecor.exe	104
PID 456 wrote to memory of 4452	456	omsecor.exe	104
PID 456 wrote to memory of 4452	456	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
"C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
  C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 256
        8⤵
        Program crash
        
        PID:2500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 292
        6⤵
        Program crash
        
        PID:4660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 300
      4⤵
      Program crash
      PID:3256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 292
  2⤵
  - Program crash
  PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4476 -ip 4476
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4936 -ip 4936
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5008 -ip 5008
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 456 -ip 456
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8bc3c5ff3d925a0dd3f6b0885f15dd70

SHA1
a4250308d28707c7d1dfdf6c4bc6ae6d26f04b4a

SHA256
ca2186faf7d0d68355ae076ba07266cce7840e1dde624861792943e94de83d32

SHA512
2503a5b431d8ffe1a80f1bdc6ffdb6074aa6b491d3eaf06a19b832d3f6f16549985e018182ddb1f00e6d15b5647077e6e212a9ee5c3d37121f80a0826ebc9869

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
056a0b1e7d2c66672f157cb6ad393425

SHA1
c33378011c7985aa6d0dee97f0b6fc91f2db4f7f

SHA256
53d96dc9a822f303f7791b69959a07db33a34576eec4499e2ece88c0cd76d401

SHA512
98a7d550fbc6cb9fb07774e0a5cdf46640c5f7d6d7285bca61b847684c828f722747014167f6ec5a7eee4254b3bfb8ad6f6116f06b459dd17e4aef8d5c2d0529

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
2eb3f318062427f26b884fc8e74e820d

SHA1
66643137715e77a94ae02c79b250a5da7a72fd59

SHA256
496d94e88525c6f6d24b4fe8f1a1c708f215c8796cb737c573ed7efb88aa2813

SHA512
eefd894581a746aaae93096c3468a72d8c5c77d370d72a9d3765467a1dd6ae3138bbba2e26b9f90ce69a1975cce166ec2565d1f42f5429ccc6569db86ce18567

Download Submit
memory/456-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3164-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3164-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3164-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3164-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4452-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4452-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4452-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4476-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4476-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4536-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4536-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4536-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4936-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4936-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5008-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5008-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download