neconyd | 1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe
Size

96KB
MD5

526f09b131e50e09afbb2e5b581fae60
SHA1

5e0a3e5e30de8c5b18165e4ffc15b47e43c07a1e
SHA256

1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70
SHA512

0635a7aa65177fbcf29c5d3d65c4768ad601d966f1104a917dcb800e79a750e7ba4c141ba2428594a5cea211015df3311a05bd46a1c4904ec12f2018410df793
SSDEEP

1536:ynAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:yGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1340	omsecor.exe
2760	omsecor.exe
1836	omsecor.exe
2480	omsecor.exe
3332	omsecor.exe
2456	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1132	2004	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	83
PID 1340 set thread context of 2760	1340	omsecor.exe	87
PID 1836 set thread context of 2480	1836	omsecor.exe	108
PID 3332 set thread context of 2456	3332	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3904	2004	WerFault.exe	82
1912	1340	WerFault.exe	85
2412	1836	WerFault.exe	107
3612	3332	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1132	2004	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	83
PID 2004 wrote to memory of 1132	2004	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	83
PID 2004 wrote to memory of 1132	2004	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	83
PID 2004 wrote to memory of 1132	2004	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	83
PID 2004 wrote to memory of 1132	2004	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	83
PID 1132 wrote to memory of 1340	1132	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	85
PID 1132 wrote to memory of 1340	1132	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	85
PID 1132 wrote to memory of 1340	1132	1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe	85
PID 1340 wrote to memory of 2760	1340	omsecor.exe	87
PID 1340 wrote to memory of 2760	1340	omsecor.exe	87
PID 1340 wrote to memory of 2760	1340	omsecor.exe	87
PID 1340 wrote to memory of 2760	1340	omsecor.exe	87
PID 1340 wrote to memory of 2760	1340	omsecor.exe	87
PID 2760 wrote to memory of 1836	2760	omsecor.exe	107
PID 2760 wrote to memory of 1836	2760	omsecor.exe	107
PID 2760 wrote to memory of 1836	2760	omsecor.exe	107
PID 1836 wrote to memory of 2480	1836	omsecor.exe	108
PID 1836 wrote to memory of 2480	1836	omsecor.exe	108
PID 1836 wrote to memory of 2480	1836	omsecor.exe	108
PID 1836 wrote to memory of 2480	1836	omsecor.exe	108
PID 1836 wrote to memory of 2480	1836	omsecor.exe	108
PID 2480 wrote to memory of 3332	2480	omsecor.exe	110
PID 2480 wrote to memory of 3332	2480	omsecor.exe	110
PID 2480 wrote to memory of 3332	2480	omsecor.exe	110
PID 3332 wrote to memory of 2456	3332	omsecor.exe	112
PID 3332 wrote to memory of 2456	3332	omsecor.exe	112
PID 3332 wrote to memory of 2456	3332	omsecor.exe	112
PID 3332 wrote to memory of 2456	3332	omsecor.exe	112
PID 3332 wrote to memory of 2456	3332	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe
"C:\Users\Admin\AppData\Local\Temp\1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe
  C:\Users\Admin\AppData\Local\Temp\1f258bc13ee7af4278a9f6b79a7885857d0fb89c162bd94507bb78c1c91e8c70N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 240
        8⤵
        Program crash
        
        PID:3612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 292
        6⤵
        Program crash
        
        PID:2412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 288
      4⤵
      Program crash
      PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 288
  2⤵
  - Program crash
  PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2004 -ip 2004
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1340 -ip 1340
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1836 -ip 1836
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3332 -ip 3332
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
a2e52edda64cd75e9e454578bd24047e

SHA1
16f2673af5eec02c5234a6206e15afc1c14a61f1

SHA256
84ed725db1927314bf66d4d119edc49273587d961b01d3c9b40413c91d645e08

SHA512
88703a867b27940156e2584e53d45e992d11361eb05c563672a4b3e944f589a01d4310344a900c8bc381b475470f0ac4a6874f6862e8dd7d118f910433a9df58

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
fa3117e39b8ed88967b4ca79432ce9a4

SHA1
7cc5c7e51731b1c1b1a0c25eaf13c7053e453d3c

SHA256
4b6a6c6d11b4ba1bb9e0690f2dbcb58e737774e00ea0bf1c7769582b87d63987

SHA512
6bbfea8a4d98a6b63487aa81030a1de3b90e60ac8047e16c2f15d7a2893ed98165a2d7f38afae86c7d48c44bbf7b75c86f8285a2887e1284d4487b9c10e0e0c7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
6420ee35c0f83efa1395ffdf09f290b6

SHA1
9fdc4f4a013402c95b00fa0a0164c8eb6b9e6a6c

SHA256
977265bea3243e951b597c9edce4dbecffcdd44d5c947490608e60b64d45c594

SHA512
ed8df5aa805bc11f354140fce392338b6e030ddd8eb7a09d3b0ef45395855612f0a97bcafce82bab45e28930ab77a0e44d6f6af9fe460912168f60f8be2fe8be

Download Submit
memory/1132-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1132-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1132-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1132-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1340-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1340-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1836-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2004-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2004-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2456-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3332-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3332-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download