neconyd | 19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
Size

96KB
MD5

04b6069c77fed76c7be2a0c8e8f5d31c
SHA1

1154753584936c70bb37eeab1d8b8ec6aeed1721
SHA256

19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33
SHA512

91fe0dcb515cb04e0a829c25cddf10e15491f64fc419bfa45ffbac1402f5779926720cadb7629808990c1f16d36b3f257034d9d832c31cf3274d3be10e2385c0
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxO:jGs8cd8eXlYairZYqMddH13O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3508	omsecor.exe
4468	omsecor.exe
5100	omsecor.exe
3364	omsecor.exe
4776	omsecor.exe
2016	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3964 set thread context of 2736	3964	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	83
PID 3508 set thread context of 4468	3508	omsecor.exe	88
PID 5100 set thread context of 3364	5100	omsecor.exe	108
PID 4776 set thread context of 2016	4776	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3868	3964	WerFault.exe	82
3920	3508	WerFault.exe	86
4284	5100	WerFault.exe	107
4200	4776	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 2736	3964	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	83
PID 3964 wrote to memory of 2736	3964	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	83
PID 3964 wrote to memory of 2736	3964	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	83
PID 3964 wrote to memory of 2736	3964	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	83
PID 3964 wrote to memory of 2736	3964	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	83
PID 2736 wrote to memory of 3508	2736	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	86
PID 2736 wrote to memory of 3508	2736	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	86
PID 2736 wrote to memory of 3508	2736	19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe	86
PID 3508 wrote to memory of 4468	3508	omsecor.exe	88
PID 3508 wrote to memory of 4468	3508	omsecor.exe	88
PID 3508 wrote to memory of 4468	3508	omsecor.exe	88
PID 3508 wrote to memory of 4468	3508	omsecor.exe	88
PID 3508 wrote to memory of 4468	3508	omsecor.exe	88
PID 4468 wrote to memory of 5100	4468	omsecor.exe	107
PID 4468 wrote to memory of 5100	4468	omsecor.exe	107
PID 4468 wrote to memory of 5100	4468	omsecor.exe	107
PID 5100 wrote to memory of 3364	5100	omsecor.exe	108
PID 5100 wrote to memory of 3364	5100	omsecor.exe	108
PID 5100 wrote to memory of 3364	5100	omsecor.exe	108
PID 5100 wrote to memory of 3364	5100	omsecor.exe	108
PID 5100 wrote to memory of 3364	5100	omsecor.exe	108
PID 3364 wrote to memory of 4776	3364	omsecor.exe	110
PID 3364 wrote to memory of 4776	3364	omsecor.exe	110
PID 3364 wrote to memory of 4776	3364	omsecor.exe	110
PID 4776 wrote to memory of 2016	4776	omsecor.exe	111
PID 4776 wrote to memory of 2016	4776	omsecor.exe	111
PID 4776 wrote to memory of 2016	4776	omsecor.exe	111
PID 4776 wrote to memory of 2016	4776	omsecor.exe	111
PID 4776 wrote to memory of 2016	4776	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
"C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
  C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 256
        8⤵
        Program crash
        
        PID:4200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 292
        6⤵
        Program crash
        
        PID:4284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 288
      4⤵
      Program crash
      PID:3920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 288
  2⤵
  - Program crash
  PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3964 -ip 3964
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3508 -ip 3508
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5100 -ip 5100
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4776 -ip 4776
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c649afa12870ac41550298d3e7ab7358

SHA1
537a169a428f601433a8dc0d9691c0819e906b57

SHA256
1e7a6ae8012cc06b900703a01c4395e0915debd8aea349a806f3a5f7f68a1ca6

SHA512
0f40b98cfbe3bc089697638aa764ceef2ba998ad6ae62a157377d5d86ece37ea24c4118ef5264bd6ffe3030858c0169cb2576e40aaf8f6a84a7dcccc0c87f27c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e678be7f39536f4d6a8aec90c0b1b247

SHA1
6de6975a9b87a1f566afbb15eed1e6d9462e4629

SHA256
805a77fb8e6f5b0cb0df4f89649224aacb937a9178be576a27553d6558f88ca2

SHA512
17eea96040be28e169869b3be0c81d65eec32d14c0c0645ca1574ee9e3b74f5cc79b7987b2234e399dec0514a8d1ed5f54c84e741488e72e243609e4f75321f2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d3d340c311bba1d2642c1af89039f32a

SHA1
07ea39525afa8750cf9cfdba6ffcbbbcaf650717

SHA256
37d273b2587d78066ca85817ee21a603c841f6556f29421dc9fe75e393014bdd

SHA512
cb5aff3b33f8d25ff95eacd7310c59c865399b30c92cd1cfe339e86cad58f22daa3610d012ab25474c7cf73490ff04ad89dacf626ef3cd4ec3dfc580517b682e

Download Submit
memory/2016-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3364-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3364-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3364-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3508-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3508-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3964-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3964-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4468-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4776-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5100-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5100-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download