neconyd | ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe
Size

96KB
MD5

99ca5d0619fad80b91b8db48c0816d89
SHA1

917ea111c1ec1d8974d6833556bfc15e23ca0f68
SHA256

ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23
SHA512

014ade3f395ec2160f62a30d9771e953f661bce89feaa6a6a297771534096e57189ee0956940d07b12887146da8a89f4d336c2f8d2839a7527112199dc556891
SSDEEP

1536:bnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:bGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1512	omsecor.exe
4656	omsecor.exe
2096	omsecor.exe
2180	omsecor.exe
4952	omsecor.exe
1580	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 4200	4488	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	82
PID 1512 set thread context of 4656	1512	omsecor.exe	86
PID 2096 set thread context of 2180	2096	omsecor.exe	100
PID 4952 set thread context of 1580	4952	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3400	4488	WerFault.exe	81
976	1512	WerFault.exe	85
4248	2096	WerFault.exe	99
3132	4952	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 4200	4488	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	82
PID 4488 wrote to memory of 4200	4488	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	82
PID 4488 wrote to memory of 4200	4488	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	82
PID 4488 wrote to memory of 4200	4488	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	82
PID 4488 wrote to memory of 4200	4488	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	82
PID 4200 wrote to memory of 1512	4200	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	85
PID 4200 wrote to memory of 1512	4200	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	85
PID 4200 wrote to memory of 1512	4200	ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe	85
PID 1512 wrote to memory of 4656	1512	omsecor.exe	86
PID 1512 wrote to memory of 4656	1512	omsecor.exe	86
PID 1512 wrote to memory of 4656	1512	omsecor.exe	86
PID 1512 wrote to memory of 4656	1512	omsecor.exe	86
PID 1512 wrote to memory of 4656	1512	omsecor.exe	86
PID 4656 wrote to memory of 2096	4656	omsecor.exe	99
PID 4656 wrote to memory of 2096	4656	omsecor.exe	99
PID 4656 wrote to memory of 2096	4656	omsecor.exe	99
PID 2096 wrote to memory of 2180	2096	omsecor.exe	100
PID 2096 wrote to memory of 2180	2096	omsecor.exe	100
PID 2096 wrote to memory of 2180	2096	omsecor.exe	100
PID 2096 wrote to memory of 2180	2096	omsecor.exe	100
PID 2096 wrote to memory of 2180	2096	omsecor.exe	100
PID 2180 wrote to memory of 4952	2180	omsecor.exe	102
PID 2180 wrote to memory of 4952	2180	omsecor.exe	102
PID 2180 wrote to memory of 4952	2180	omsecor.exe	102
PID 4952 wrote to memory of 1580	4952	omsecor.exe	104
PID 4952 wrote to memory of 1580	4952	omsecor.exe	104
PID 4952 wrote to memory of 1580	4952	omsecor.exe	104
PID 4952 wrote to memory of 1580	4952	omsecor.exe	104
PID 4952 wrote to memory of 1580	4952	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe
"C:\Users\Admin\AppData\Local\Temp\ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe
  C:\Users\Admin\AppData\Local\Temp\ab9afb3150852f7bb5830cc0c2edbdaa3d6798e232dfcdac9c69ea1345e57f23.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 256
        8⤵
        Program crash
        
        PID:3132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 292
        6⤵
        Program crash
        
        PID:4248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 288
      4⤵
      Program crash
      PID:976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 288
  2⤵
  - Program crash
  PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4488 -ip 4488
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1512 -ip 1512
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2096 -ip 2096
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4952 -ip 4952
1⤵
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
7bbadd4421fea180223fbee43fe5836d

SHA1
a4044e5e9130cd74daf75f10eb97e3128b113873

SHA256
458a5d25d87fae5ae46be57202a8dac4a69065dcd9af137efb943d25e2209675

SHA512
b0b2972ccd84e6ff97cb97673096e9f5a067ab99913d50a75dfdee60f2515fc8cc0431b675fd2e08fa634851f14b75cd8f231d7e493bc34d89eb535c97b60d85

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0b68407d1d3ebead4c0c0ec47a2deebe

SHA1
6e4d47ec6c8851212d678a3d07ab5b34cac9a75d

SHA256
d6dddf93e564fd10026c2449df9ae0bab7dfc2e33063281b07a6b09ed10f561a

SHA512
dda5f7c3801703b6d2a59dab44d27bdb1ef524e6390e74738e5cccae9eda4fb2ce7a6559e1769b12558569698395a8cf11b47f81a1724b457fec2c9873af44b0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
606efa802a802a90f0fd4e4fa2b05cf8

SHA1
458a107a748d2863e950fd260d37b830b0866550

SHA256
c5d1d39b6e3fd5e0ac0c60d785fc9d0adf2a6c024c440591f5800e6cee3c1976

SHA512
83ba8ad7b646a7051c9c7a40bf7b43c9b3319dce7979726af2a0407fe6919d1dcd1527fc44fb10ca7156d4a225faa925aa2599cccc9367fbc7dcb1263dc3304f

Download Submit
memory/1512-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1512-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1580-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1580-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1580-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1580-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2180-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2180-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2180-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4200-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4200-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4200-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4200-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4488-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4488-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4656-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4656-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4656-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4656-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4656-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4656-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4656-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4952-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download