neconyd | 80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Size

96KB
MD5

39752c4c63bf4b476d0112e272186b03
SHA1

c020dd4d1d84185880dc87b6426056b2c565879c
SHA256

80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07
SHA512

d8a023728118c10e0f4c47c085170264ab646fb2352acf03770da0a591216668c6f3a61d16abb8c1fe35e3484d9c3db63eddd17d6178353471814b8c4223bdbc
SSDEEP

1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:JGs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4116	omsecor.exe
3048	omsecor.exe
2236	omsecor.exe
2976	omsecor.exe
788	omsecor.exe
4820	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 3404	2540	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	83
PID 4116 set thread context of 3048	4116	omsecor.exe	87
PID 2236 set thread context of 2976	2236	omsecor.exe	101
PID 788 set thread context of 4820	788	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3536	2540	WerFault.exe	82
4368	4116	WerFault.exe	85
1424	2236	WerFault.exe	100
1600	788	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 3404	2540	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	83
PID 2540 wrote to memory of 3404	2540	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	83
PID 2540 wrote to memory of 3404	2540	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	83
PID 2540 wrote to memory of 3404	2540	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	83
PID 2540 wrote to memory of 3404	2540	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	83
PID 3404 wrote to memory of 4116	3404	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	85
PID 3404 wrote to memory of 4116	3404	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	85
PID 3404 wrote to memory of 4116	3404	80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe	85
PID 4116 wrote to memory of 3048	4116	omsecor.exe	87
PID 4116 wrote to memory of 3048	4116	omsecor.exe	87
PID 4116 wrote to memory of 3048	4116	omsecor.exe	87
PID 4116 wrote to memory of 3048	4116	omsecor.exe	87
PID 4116 wrote to memory of 3048	4116	omsecor.exe	87
PID 3048 wrote to memory of 2236	3048	omsecor.exe	100
PID 3048 wrote to memory of 2236	3048	omsecor.exe	100
PID 3048 wrote to memory of 2236	3048	omsecor.exe	100
PID 2236 wrote to memory of 2976	2236	omsecor.exe	101
PID 2236 wrote to memory of 2976	2236	omsecor.exe	101
PID 2236 wrote to memory of 2976	2236	omsecor.exe	101
PID 2236 wrote to memory of 2976	2236	omsecor.exe	101
PID 2236 wrote to memory of 2976	2236	omsecor.exe	101
PID 2976 wrote to memory of 788	2976	omsecor.exe	103
PID 2976 wrote to memory of 788	2976	omsecor.exe	103
PID 2976 wrote to memory of 788	2976	omsecor.exe	103
PID 788 wrote to memory of 4820	788	omsecor.exe	104
PID 788 wrote to memory of 4820	788	omsecor.exe	104
PID 788 wrote to memory of 4820	788	omsecor.exe	104
PID 788 wrote to memory of 4820	788	omsecor.exe	104
PID 788 wrote to memory of 4820	788	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
"C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
  C:\Users\Admin\AppData\Local\Temp\80dc1a830bae4060d1bfe3179fd9ec61a9bd4d437dc1540fc64c7ed871560f07.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 256
        8⤵
        Program crash
        
        PID:1600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 292
        6⤵
        Program crash
        
        PID:1424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 300
      4⤵
      Program crash
      PID:4368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 288
  2⤵
  - Program crash
  PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2540 -ip 2540
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4116 -ip 4116
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2236 -ip 2236
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 788 -ip 788
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
19ffc1ee753f15503190a6652d5e1c3b

SHA1
561a2d6d87154be6f17e1ca148caa6f2b357628e

SHA256
ff81fa82eb1aebcf03488de15aa1f5037f805723f81e15c26501ec98ffc5d7fd

SHA512
aec0b18c023ef23345e782e8efb772d0ac5c9dd01f48d29a9504b7a8df2f422aaaf07eb5b6c9f1b09f913540bc7bfe80ff721afc598650a28052095fdc45bad5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
056a0b1e7d2c66672f157cb6ad393425

SHA1
c33378011c7985aa6d0dee97f0b6fc91f2db4f7f

SHA256
53d96dc9a822f303f7791b69959a07db33a34576eec4499e2ece88c0cd76d401

SHA512
98a7d550fbc6cb9fb07774e0a5cdf46640c5f7d6d7285bca61b847684c828f722747014167f6ec5a7eee4254b3bfb8ad6f6116f06b459dd17e4aef8d5c2d0529

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
25e6c2ccf46908e74d5e8ffbf4e0cab1

SHA1
5e60916bf082c092818a2923f02d8b084a537495

SHA256
0540081031c3571568ae88de60e69c09108d02836af48125ddeaccd1588df97c

SHA512
556aa1fad4e6a033a0ed30c83ce415df4432c5a7cbafdb0e3977adb4906607345292227e876d116495f3aa03919c5bb1dd1d1547dd870fb68d87439b797794ff

Download Submit
memory/788-47-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-36-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2540-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2540-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2976-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2976-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3048-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3404-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3404-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3404-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3404-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4116-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4116-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4820-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download