neconyd | 1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
Size

96KB
MD5

b67bf83c78ed65549a8d17207df21650
SHA1

2555a01e772fd1f349128cf6e3daf275792885c7
SHA256

1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7
SHA512

2664132b45f60357d2bd93689caf16c2123af1b86683228f08cf249ea8f82d774b8a2c94785cf37fb811de51265195c1ed358444f61ab29441246787c77a1006
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:QGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3712	omsecor.exe
4508	omsecor.exe
4384	omsecor.exe
2296	omsecor.exe
2476	omsecor.exe
3572	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4924 set thread context of 3004	4924	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	83
PID 3712 set thread context of 4508	3712	omsecor.exe	87
PID 4384 set thread context of 2296	4384	omsecor.exe	107
PID 2476 set thread context of 3572	2476	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4296	4924	WerFault.exe	82
2292	3712	WerFault.exe	86
2948	4384	WerFault.exe	106
3188	2476	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 3004	4924	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	83
PID 4924 wrote to memory of 3004	4924	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	83
PID 4924 wrote to memory of 3004	4924	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	83
PID 4924 wrote to memory of 3004	4924	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	83
PID 4924 wrote to memory of 3004	4924	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	83
PID 3004 wrote to memory of 3712	3004	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	86
PID 3004 wrote to memory of 3712	3004	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	86
PID 3004 wrote to memory of 3712	3004	1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe	86
PID 3712 wrote to memory of 4508	3712	omsecor.exe	87
PID 3712 wrote to memory of 4508	3712	omsecor.exe	87
PID 3712 wrote to memory of 4508	3712	omsecor.exe	87
PID 3712 wrote to memory of 4508	3712	omsecor.exe	87
PID 3712 wrote to memory of 4508	3712	omsecor.exe	87
PID 4508 wrote to memory of 4384	4508	omsecor.exe	106
PID 4508 wrote to memory of 4384	4508	omsecor.exe	106
PID 4508 wrote to memory of 4384	4508	omsecor.exe	106
PID 4384 wrote to memory of 2296	4384	omsecor.exe	107
PID 4384 wrote to memory of 2296	4384	omsecor.exe	107
PID 4384 wrote to memory of 2296	4384	omsecor.exe	107
PID 4384 wrote to memory of 2296	4384	omsecor.exe	107
PID 4384 wrote to memory of 2296	4384	omsecor.exe	107
PID 2296 wrote to memory of 2476	2296	omsecor.exe	109
PID 2296 wrote to memory of 2476	2296	omsecor.exe	109
PID 2296 wrote to memory of 2476	2296	omsecor.exe	109
PID 2476 wrote to memory of 3572	2476	omsecor.exe	111
PID 2476 wrote to memory of 3572	2476	omsecor.exe	111
PID 2476 wrote to memory of 3572	2476	omsecor.exe	111
PID 2476 wrote to memory of 3572	2476	omsecor.exe	111
PID 2476 wrote to memory of 3572	2476	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
"C:\Users\Admin\AppData\Local\Temp\1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
  C:\Users\Admin\AppData\Local\Temp\1fb13eb3c72f0d3fd6499b2730c9f0e6dd2c2502a5575ba7a2e554ca368476c7N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 252
        8⤵
        Program crash
        
        PID:3188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 292
        6⤵
        Program crash
        
        PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 300
      4⤵
      Program crash
      PID:2292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 288
  2⤵
  - Program crash
  PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4924 -ip 4924
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3712 -ip 3712
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4384 -ip 4384
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2476 -ip 2476
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e7dc8ad1092bb7f600f440ac779a3a3d

SHA1
02e4c6ac925072779cf2dab4d7a4878b22f1a81f

SHA256
6d0382d60da5e8f05db6b296cd082d53f39fd77fe2bc39d0a8d1ad1daf917d47

SHA512
1017f33b96a97bf608721d06ba7eb8a0b033233e47d9c6363931c37911af1e8e31d1a734da51402e96328b1e2446bfed7b547a60031a8c9f2243c8288177221d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b19a446c42de54a24fa45c77f6e4ee7e

SHA1
2e83e343feee767331777ff4cfc886c0a23e6572

SHA256
0a47fad86b36ecbabd313364dd6362980876513ab1a33fb3fd09a360287e0fc3

SHA512
0f34b001797243ee88c29f3206ae4a472465374614e4f29132014324a0a4d41f2bb7041aabacd5ab4778b7fcd44754a841ff78b2174257a293e1d594273fb419

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d109a4d3b1b76c8f5c9fa1b1b712ec4e

SHA1
d36d6dddc087c8aa1814f75a96812f87e978e71d

SHA256
109711ae8edb82d71b7efab824bca0d9668ca165ddf8f607223771a64c401bcc

SHA512
1f6076f054ea56f7bc5c3821b158660f2feb7eccc1fc3a9e3bb252a9049f9a0d75a3f4de31f6d404fb573090247ed83c55cf36b6ff68d4e04f57392b8b823bb6

Download Submit
memory/2296-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3004-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3572-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3572-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3572-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3712-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3712-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4384-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4384-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4508-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4508-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4508-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4508-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4508-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4508-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4508-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4924-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4924-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download