neconyd | fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe
Size

134KB
MD5

32eb432058e7df3ac503e9052922d21f
SHA1

0c5b18d9fbb106ed63d776607733b22c72710712
SHA256

fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff
SHA512

5dcf17e7cb61a391d66cc046746382e87f856bfb05de1c119fb13fd8e497c5f06f6e13973d6f9b24a81a289f29fafd93d22f831d2013d585b22eec2264cb3460
SSDEEP

1536:2DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:oiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
636	omsecor.exe
4512	omsecor.exe
3092	omsecor.exe
3648	omsecor.exe
2336	omsecor.exe
5028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 2040	4344	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	82
PID 636 set thread context of 4512	636	omsecor.exe	87
PID 3092 set thread context of 3648	3092	omsecor.exe	100
PID 2336 set thread context of 5028	2336	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
968	4344	WerFault.exe	81
3544	636	WerFault.exe	85
4664	3092	WerFault.exe	99
852	2336	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 2040	4344	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	82
PID 4344 wrote to memory of 2040	4344	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	82
PID 4344 wrote to memory of 2040	4344	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	82
PID 4344 wrote to memory of 2040	4344	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	82
PID 4344 wrote to memory of 2040	4344	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	82
PID 2040 wrote to memory of 636	2040	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	85
PID 2040 wrote to memory of 636	2040	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	85
PID 2040 wrote to memory of 636	2040	fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe	85
PID 636 wrote to memory of 4512	636	omsecor.exe	87
PID 636 wrote to memory of 4512	636	omsecor.exe	87
PID 636 wrote to memory of 4512	636	omsecor.exe	87
PID 636 wrote to memory of 4512	636	omsecor.exe	87
PID 636 wrote to memory of 4512	636	omsecor.exe	87
PID 4512 wrote to memory of 3092	4512	omsecor.exe	99
PID 4512 wrote to memory of 3092	4512	omsecor.exe	99
PID 4512 wrote to memory of 3092	4512	omsecor.exe	99
PID 3092 wrote to memory of 3648	3092	omsecor.exe	100
PID 3092 wrote to memory of 3648	3092	omsecor.exe	100
PID 3092 wrote to memory of 3648	3092	omsecor.exe	100
PID 3092 wrote to memory of 3648	3092	omsecor.exe	100
PID 3092 wrote to memory of 3648	3092	omsecor.exe	100
PID 3648 wrote to memory of 2336	3648	omsecor.exe	102
PID 3648 wrote to memory of 2336	3648	omsecor.exe	102
PID 3648 wrote to memory of 2336	3648	omsecor.exe	102
PID 2336 wrote to memory of 5028	2336	omsecor.exe	104
PID 2336 wrote to memory of 5028	2336	omsecor.exe	104
PID 2336 wrote to memory of 5028	2336	omsecor.exe	104
PID 2336 wrote to memory of 5028	2336	omsecor.exe	104
PID 2336 wrote to memory of 5028	2336	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe
"C:\Users\Admin\AppData\Local\Temp\fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe
  C:\Users\Admin\AppData\Local\Temp\fef6b6ece0e7b67fbc701dec5fec7989196a5146a8d139d1afd584ea5c5583ff.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3092
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 268
        8⤵
        Program crash
        
        PID:852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 292
        6⤵
        Program crash
        
        PID:4664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 300
      4⤵
      Program crash
      PID:3544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 288
  2⤵
  - Program crash
  PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4344 -ip 4344
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 636 -ip 636
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3092 -ip 3092
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2336 -ip 2336
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9a6b06265cd8128cef0e48d9bba40c99

SHA1
4ebbdccf08ad88afa712d204bfe9014ce0cba264

SHA256
b1cfbfa7cc4180a32e67ce06070fadd2d106262b93c99043d55be3485ebe17e5

SHA512
7f9b93ecdca8594a9090c6b7af504a77728aa6054425a3590d2dc1de6bcf24107a85058db75901265dbdf0ac7e11653c772386923e95b94bbd4e157b321865a9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e17e6f6e8f6594f8c820f7094df3d4a5

SHA1
1883b26cf91bd9eaca5b08b3cd6903bd6aac1940

SHA256
d391c3a47f66fb3a5fa383411f992ff2ce12ac2782e00130ae5121c883a17311

SHA512
12f41937156f7bb82d4f673b8043f6062a8bbf91b9ffe6dfc3c2aad315313d357fbc39e2c3f0c4b0ace8557f7fafc21436eb13568b0aa37de0a83640344f3037

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
49e24b5fe4f503d85381f6503994d183

SHA1
9da9b9cf765ac08cd3dab97c4228bc3fa38856e0

SHA256
5f77a2c008ca386a8d4f999bdade163db9aaa35e0921a6f3ddc52ce2fe43820b

SHA512
bb7979134373835bbefd93118bd85c2cc92437592197b41c9e1fedebb4ca31ecd78d42e5771b8e4f16a39bd6e4de65dc0041bbbf0e3b5138516b76bfa90545b2

Download Submit
memory/636-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/636-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2040-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2336-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3092-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3092-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3648-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3648-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3648-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4344-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4512-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5028-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5028-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5028-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5028-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download