neconyd | 70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3ba

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
Size

96KB
MD5

175804491419924eb9cf95b29e411080
SHA1

bb1d15177426f78fb336c09714ff203915f39f46
SHA256

70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3ba
SHA512

ab3fad3131117fad88cb43d5e8c8adc741a710ed9c45a54266688f856a8b2745c461211c600291ebb257d6c58ac812f0f4eb9d7face98e4cacad1a53abd32617
SSDEEP

1536:/nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:/Gs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1888	omsecor.exe
4692	omsecor.exe
2392	omsecor.exe
4916	omsecor.exe
4000	omsecor.exe
376	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3472 set thread context of 1616	3472	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	83
PID 1888 set thread context of 4692	1888	omsecor.exe	87
PID 2392 set thread context of 4916	2392	omsecor.exe	109
PID 4000 set thread context of 376	4000	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4744	1888	WerFault.exe	85
1240	3472	WerFault.exe	82
2064	2392	WerFault.exe	108
3956	4000	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 1616	3472	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	83
PID 3472 wrote to memory of 1616	3472	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	83
PID 3472 wrote to memory of 1616	3472	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	83
PID 3472 wrote to memory of 1616	3472	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	83
PID 3472 wrote to memory of 1616	3472	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	83
PID 1616 wrote to memory of 1888	1616	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	85
PID 1616 wrote to memory of 1888	1616	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	85
PID 1616 wrote to memory of 1888	1616	70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe	85
PID 1888 wrote to memory of 4692	1888	omsecor.exe	87
PID 1888 wrote to memory of 4692	1888	omsecor.exe	87
PID 1888 wrote to memory of 4692	1888	omsecor.exe	87
PID 1888 wrote to memory of 4692	1888	omsecor.exe	87
PID 1888 wrote to memory of 4692	1888	omsecor.exe	87
PID 4692 wrote to memory of 2392	4692	omsecor.exe	108
PID 4692 wrote to memory of 2392	4692	omsecor.exe	108
PID 4692 wrote to memory of 2392	4692	omsecor.exe	108
PID 2392 wrote to memory of 4916	2392	omsecor.exe	109
PID 2392 wrote to memory of 4916	2392	omsecor.exe	109
PID 2392 wrote to memory of 4916	2392	omsecor.exe	109
PID 2392 wrote to memory of 4916	2392	omsecor.exe	109
PID 2392 wrote to memory of 4916	2392	omsecor.exe	109
PID 4916 wrote to memory of 4000	4916	omsecor.exe	111
PID 4916 wrote to memory of 4000	4916	omsecor.exe	111
PID 4916 wrote to memory of 4000	4916	omsecor.exe	111
PID 4000 wrote to memory of 376	4000	omsecor.exe	113
PID 4000 wrote to memory of 376	4000	omsecor.exe	113
PID 4000 wrote to memory of 376	4000	omsecor.exe	113
PID 4000 wrote to memory of 376	4000	omsecor.exe	113
PID 4000 wrote to memory of 376	4000	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
"C:\Users\Admin\AppData\Local\Temp\70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
  C:\Users\Admin\AppData\Local\Temp\70a20ee052a03dd900e71902d2a80b10d3cf14c409970342192acdbb8c44c3baN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 260
        8⤵
        Program crash
        
        PID:3956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 292
        6⤵
        Program crash
        
        PID:2064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 300
      4⤵
      Program crash
      PID:4744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 296
  2⤵
  - Program crash
  PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3472 -ip 3472
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1888 -ip 1888
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2392 -ip 2392
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4000 -ip 4000
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3922e6d835a77d30d91fb911e801b138

SHA1
372fc9f0818be6ff47ffd9c77db294216a4ad8fa

SHA256
c8200134f178ff27791187ac133bf3f8d4d0a160e730ca87a0c70eb42095490e

SHA512
34c1f4a782cd75f416bcd465c3157f1195d960060693c9e5c17082c84cb301648bd7302cd73e435ea43a04f1b42e99f44df511323afc9feacb3b5f78a9c94756

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
34132ba5d6e8d957ea4f406d8a1cd8e7

SHA1
992da18f3cff8f20386a8be9c0138cd3ecdee377

SHA256
0b55c7b1fba713a2eb8587194cf772ac9953214fda65c7df533af04d7ea35c29

SHA512
5de50668cc5fa5a73a5e924f9109afb0a875b8dc1556d7a3fb6a1cc2c771fd78625ce9fba394699bac23898c1942c11c6b3edb5e718570512ba47a4c7e40bf39

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6937512f48dce35aa5fc638d789bef63

SHA1
b8ec9f02839a198c019be9e31862fd2e5983380d

SHA256
a5770d6027d7ac038d127b8c1fc9fb339a01f3bda24bd69d539a3cbfbaa4797e

SHA512
03505fa0936954c827342e16a5a241cd5c04c0fa1a57581907297758867e8689651bf650ff4a39f71addc658efaafb9142c6e3e5f79f41fb47b34465704bcce0

Download Submit
memory/376-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/376-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1616-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1616-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1616-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1616-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1888-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2392-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2392-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3472-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3472-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4000-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4692-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4916-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download