neconyd | 15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
Size

96KB
MD5

6a80607d407893f9d45f48c152454f10
SHA1

977bc4c2f53cd5009d7945a1aaefd40109cf4cdc
SHA256

15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29
SHA512

3c7f553b0037820a70dacfeb6b1f33dea8db544e65b98b61bd94cf116bba90fc150563458795fe99440aeeb61d8f8bca8291de215d94c429f534ae24c6ea2029
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:DGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
5008	omsecor.exe
4796	omsecor.exe
4620	omsecor.exe
4856	omsecor.exe
3532	omsecor.exe
5096	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 3412	3028	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	83
PID 5008 set thread context of 4796	5008	omsecor.exe	87
PID 4620 set thread context of 4856	4620	omsecor.exe	110
PID 3532 set thread context of 5096	3532	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3812	3028	WerFault.exe	82
412	5008	WerFault.exe	85
400	4620	WerFault.exe	109
872	3532	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3412	3028	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	83
PID 3028 wrote to memory of 3412	3028	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	83
PID 3028 wrote to memory of 3412	3028	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	83
PID 3028 wrote to memory of 3412	3028	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	83
PID 3028 wrote to memory of 3412	3028	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	83
PID 3412 wrote to memory of 5008	3412	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	85
PID 3412 wrote to memory of 5008	3412	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	85
PID 3412 wrote to memory of 5008	3412	15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe	85
PID 5008 wrote to memory of 4796	5008	omsecor.exe	87
PID 5008 wrote to memory of 4796	5008	omsecor.exe	87
PID 5008 wrote to memory of 4796	5008	omsecor.exe	87
PID 5008 wrote to memory of 4796	5008	omsecor.exe	87
PID 5008 wrote to memory of 4796	5008	omsecor.exe	87
PID 4796 wrote to memory of 4620	4796	omsecor.exe	109
PID 4796 wrote to memory of 4620	4796	omsecor.exe	109
PID 4796 wrote to memory of 4620	4796	omsecor.exe	109
PID 4620 wrote to memory of 4856	4620	omsecor.exe	110
PID 4620 wrote to memory of 4856	4620	omsecor.exe	110
PID 4620 wrote to memory of 4856	4620	omsecor.exe	110
PID 4620 wrote to memory of 4856	4620	omsecor.exe	110
PID 4620 wrote to memory of 4856	4620	omsecor.exe	110
PID 4856 wrote to memory of 3532	4856	omsecor.exe	112
PID 4856 wrote to memory of 3532	4856	omsecor.exe	112
PID 4856 wrote to memory of 3532	4856	omsecor.exe	112
PID 3532 wrote to memory of 5096	3532	omsecor.exe	113
PID 3532 wrote to memory of 5096	3532	omsecor.exe	113
PID 3532 wrote to memory of 5096	3532	omsecor.exe	113
PID 3532 wrote to memory of 5096	3532	omsecor.exe	113
PID 3532 wrote to memory of 5096	3532	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
"C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
  C:\Users\Admin\AppData\Local\Temp\15dd8031ad305244eb6a3b1f7ef1e7270fa3dbb46c1d6e2053137025ed5cba29N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 268
        8⤵
        Program crash
        
        PID:872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 292
        6⤵
        Program crash
        
        PID:400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 288
      4⤵
      Program crash
      PID:412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 288
  2⤵
  - Program crash
  PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3028 -ip 3028
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5008 -ip 5008
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4620 -ip 4620
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3532 -ip 3532
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
92a9a564cc27914eb3011daecb899a2c

SHA1
4e8a7d4812fc9161027b53989d8d017e79c73cf5

SHA256
860307186d6db1a229d4c81e62eaf608ece531cf7866a669da8e26f5489ea635

SHA512
abee217e3035a6b8cf2cb6e478562b23c017f5a98aa3834f8ae685427d4c1094c8b41f0fd2ee55d0efc2c5352412b06417ba7ae59b9ba96fdda9f25c4332a72d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
198c00fc46538ca3f409fd37368211a6

SHA1
d565e298687d7a4a9468082beeccba2779cc8f7e

SHA256
e42df9a6c8cb6082776f191859b485ca31ef2e24170376f92bdf2f0fd8ea0c5e

SHA512
30b156b5aebee9b9a26656f0b4026ce8071493874d7f40e1423c4ca5b0c86e4152af2658131411a871af1f9615a842a0b636bb359625be0fd600faa20dc33d0e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7d9e422e15a0fc2a58272b648d76af1c

SHA1
6eeafd165e3d2622b89488ae6a49269ac8efcdba

SHA256
3984ceeeea81844e83a8b5c53916b563b36c70dd7de843ba8fccb5608474206e

SHA512
148b987a1dcc78f00a797fa9b8c741b4bf7f521c49a9945ccff50a929a52f3309919366dfd6ef218accb93e9f4232ac15f23274a7391a9adb68372cb53833342

Download Submit
memory/3028-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3028-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3412-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3412-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3412-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3412-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4620-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4796-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4796-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4856-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4856-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4856-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5008-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5008-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5096-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5096-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5096-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download