neconyd | 15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Size

134KB
MD5

eb3d3b17e41c40cbae73072b9d9a1a7d
SHA1

7c0feef921da8f9d08a476d64afcd55a4bf02726
SHA256

15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d
SHA512

0820ee2bfb04115354be88347bb000ab4d97d65551a64d04f62740d841e663506cb40f4e6eeb1b76ad1650c64d2f1a7d63fc8618083fcdccd725fe4096e293b7
SSDEEP

1536:8DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi1:iiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1556	omsecor.exe
3564	omsecor.exe
2500	omsecor.exe
2020	omsecor.exe
2144	omsecor.exe
3284	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 5044	4392	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	83
PID 1556 set thread context of 3564	1556	omsecor.exe	88
PID 2500 set thread context of 2020	2500	omsecor.exe	108
PID 2144 set thread context of 3284	2144	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3416	4392	WerFault.exe	82
2056	1556	WerFault.exe	85
4100	2500	WerFault.exe	107
3396	2144	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 5044	4392	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	83
PID 4392 wrote to memory of 5044	4392	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	83
PID 4392 wrote to memory of 5044	4392	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	83
PID 4392 wrote to memory of 5044	4392	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	83
PID 4392 wrote to memory of 5044	4392	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	83
PID 5044 wrote to memory of 1556	5044	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	85
PID 5044 wrote to memory of 1556	5044	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	85
PID 5044 wrote to memory of 1556	5044	15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe	85
PID 1556 wrote to memory of 3564	1556	omsecor.exe	88
PID 1556 wrote to memory of 3564	1556	omsecor.exe	88
PID 1556 wrote to memory of 3564	1556	omsecor.exe	88
PID 1556 wrote to memory of 3564	1556	omsecor.exe	88
PID 1556 wrote to memory of 3564	1556	omsecor.exe	88
PID 3564 wrote to memory of 2500	3564	omsecor.exe	107
PID 3564 wrote to memory of 2500	3564	omsecor.exe	107
PID 3564 wrote to memory of 2500	3564	omsecor.exe	107
PID 2500 wrote to memory of 2020	2500	omsecor.exe	108
PID 2500 wrote to memory of 2020	2500	omsecor.exe	108
PID 2500 wrote to memory of 2020	2500	omsecor.exe	108
PID 2500 wrote to memory of 2020	2500	omsecor.exe	108
PID 2500 wrote to memory of 2020	2500	omsecor.exe	108
PID 2020 wrote to memory of 2144	2020	omsecor.exe	110
PID 2020 wrote to memory of 2144	2020	omsecor.exe	110
PID 2020 wrote to memory of 2144	2020	omsecor.exe	110
PID 2144 wrote to memory of 3284	2144	omsecor.exe	112
PID 2144 wrote to memory of 3284	2144	omsecor.exe	112
PID 2144 wrote to memory of 3284	2144	omsecor.exe	112
PID 2144 wrote to memory of 3284	2144	omsecor.exe	112
PID 2144 wrote to memory of 3284	2144	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
"C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
  C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 268
        8⤵
        Program crash
        
        PID:3396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 296
        6⤵
        Program crash
        
        PID:4100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 300
      4⤵
      Program crash
      PID:2056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 288
  2⤵
  - Program crash
  PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4392 -ip 4392
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1556 -ip 1556
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2500 -ip 2500
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2144 -ip 2144
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
0701c7bc226175e2ba2da7adf73de838

SHA1
6ba6942196c6ddca2715ad2a5351d36cbd36cf57

SHA256
f8b46741151367ccc2990643a0cea813cb0068dd28db64d6fea53f1d86ba7bea

SHA512
f6647f8816ea1c36d293383a48032b9601ec90c6131c3891d8ff8182e591353d12e8f1921320320d2f72e36dd619451fb4e577a866495e2493cd376cb5746a9c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d8dc678a990a8c9c9cda88f0c85cbe7f

SHA1
0b040a20c5fe18ab9cf556c55aaeafe57caf7464

SHA256
249d43173536b014132143ab2662a6ce14272b622d62e1d120f3878c70464002

SHA512
d5c179a2c8399e6362f50390eca0473dcf6ccdc12011a37eaa05f8cdd5bd4694f39a27734e1ce6b5a34a8abb845f333f876eab96b26a333f8a5a8dfd49c2b596

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
3d5320293cf26cd6a22484db1a9fe2e7

SHA1
628afd5fd0789d08a57a8e35aeb3734a576203f8

SHA256
59c3011a03d0465222a15801992654d1840c2d5a6d448006ce4a6fae5e6e297e

SHA512
ce0797675f2bb7c0ff40f13b2838821890ff41b15396c9006106f53f8fb7da90ff0ae4b5aa46ca71e860f6d8782a416b24c149ad473fd43b1ca90c72b732e5ca

Download Submit
memory/1556-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1556-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2020-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2144-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2500-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2500-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3284-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3284-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3284-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3564-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4392-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4392-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5044-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5044-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download