neconyd | 0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
Size

96KB
MD5

14d561cfa5fce0bd354d39de071973ae
SHA1

15902cd3741f7e31a29660bbff5459e1d5a076a0
SHA256

0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e
SHA512

79075baf6cecece7a68afbe0d601d44e8af107a79a31bfd1d6f0c9633c5a5539b19ed0d57e6d8c1ab834aa29952dd5d66eafa44bdaf42417dd4b9599a4661629
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:QGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4692	omsecor.exe
4204	omsecor.exe
4520	omsecor.exe
1180	omsecor.exe
2380	omsecor.exe
3740	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 704 set thread context of 880	704	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	83
PID 4692 set thread context of 4204	4692	omsecor.exe	87
PID 4520 set thread context of 1180	4520	omsecor.exe	109
PID 2380 set thread context of 3740	2380	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3740	704	WerFault.exe	82
2172	4692	WerFault.exe	85
1860	4520	WerFault.exe	108
4692	2380	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 880	704	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	83
PID 704 wrote to memory of 880	704	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	83
PID 704 wrote to memory of 880	704	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	83
PID 704 wrote to memory of 880	704	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	83
PID 704 wrote to memory of 880	704	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	83
PID 880 wrote to memory of 4692	880	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	85
PID 880 wrote to memory of 4692	880	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	85
PID 880 wrote to memory of 4692	880	0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe	85
PID 4692 wrote to memory of 4204	4692	omsecor.exe	87
PID 4692 wrote to memory of 4204	4692	omsecor.exe	87
PID 4692 wrote to memory of 4204	4692	omsecor.exe	87
PID 4692 wrote to memory of 4204	4692	omsecor.exe	87
PID 4692 wrote to memory of 4204	4692	omsecor.exe	87
PID 4204 wrote to memory of 4520	4204	omsecor.exe	108
PID 4204 wrote to memory of 4520	4204	omsecor.exe	108
PID 4204 wrote to memory of 4520	4204	omsecor.exe	108
PID 4520 wrote to memory of 1180	4520	omsecor.exe	109
PID 4520 wrote to memory of 1180	4520	omsecor.exe	109
PID 4520 wrote to memory of 1180	4520	omsecor.exe	109
PID 4520 wrote to memory of 1180	4520	omsecor.exe	109
PID 4520 wrote to memory of 1180	4520	omsecor.exe	109
PID 1180 wrote to memory of 2380	1180	omsecor.exe	111
PID 1180 wrote to memory of 2380	1180	omsecor.exe	111
PID 1180 wrote to memory of 2380	1180	omsecor.exe	111
PID 2380 wrote to memory of 3740	2380	omsecor.exe	112
PID 2380 wrote to memory of 3740	2380	omsecor.exe	112
PID 2380 wrote to memory of 3740	2380	omsecor.exe	112
PID 2380 wrote to memory of 3740	2380	omsecor.exe	112
PID 2380 wrote to memory of 3740	2380	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
"C:\Users\Admin\AppData\Local\Temp\0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
  C:\Users\Admin\AppData\Local\Temp\0e04fd83bb4501b231e663a8d3c6826d0ba888027f74be4e057d313e10a8aa9e.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 268
        8⤵
        Program crash
        
        PID:4692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 292
        6⤵
        Program crash
        
        PID:1860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 276
      4⤵
      Program crash
      PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 288
  2⤵
  - Program crash
  PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 704 -ip 704
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4692 -ip 4692
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4520 -ip 4520
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2380 -ip 2380
1⤵
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e8fd4d6f5330d9dc09cb3121a1f06060

SHA1
659eb7d4a8c0fc7f9d9788e5f2ffff03b42e07af

SHA256
212f9b395d9949d71dd34b7363265aaf8261e438e5f9f92312db850e20361a29

SHA512
a6ed20e62fd8c37e95d55ee64ad747fdf3ae4d891927e2ae40da9e84542b46bef2e05d9c659913fe83c7aa2f27a2e23a1faae88222560cbe153a46bf033c4c39

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0d94f2f9ce58c6512ecccde2407fec6b

SHA1
460dd6382baf7903d034191fd9540f07d3e64181

SHA256
5ae4e3d22700fcca42a7fb2d5d8b64944272d7fd50befe7d069a966ec85accd7

SHA512
0ec68ee2ddec73ccb175a5e1a759dc92fa5cb9f79baeadc5d9b2fe4ab0dc5aae74855b5ad1b2d18e304aeb1495a314405123c50e35a7b56b09cb044464c6314a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
61192b5390a131948c9c5ba733dcbbd1

SHA1
934e73369c9391c37fdcdcf12eb05b2ab465312b

SHA256
5a3b1e9e73804d8cf9ca9e3ead46b1ad3cd38fa8cf544d1c6030beab934d57bb

SHA512
ff16c057f686ae6ba85c3990711cb359aec011ef680b2302b818528b49493eaed71853e3a69d1347de00f87b51c6d5aeb521aa425149044e68bca8bae7f78cee

Download Submit
memory/704-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/704-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/880-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/880-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/880-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/880-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1180-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1180-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1180-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2380-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3740-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3740-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3740-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4520-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4520-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4692-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4692-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download