neconyd | f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
Size

134KB
MD5

0e016ef700da2f75e04cdea881bcbde0
SHA1

c77b00e001c8b6411438780da98f4d93ff973b16
SHA256

f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5
SHA512

0ad4b8185dab202561581b5daba7e028d36efe7bdf27a3fcb224664468517018f29dd40ba9ea00e5eaac0a72f7b0bd80c9719197677d314e9c50e124b5a141b2
SSDEEP

1536:fDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCit:LiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
468	omsecor.exe
2868	omsecor.exe
4968	omsecor.exe
1488	omsecor.exe
2896	omsecor.exe
4160	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5056 set thread context of 3100	5056	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	83
PID 468 set thread context of 2868	468	omsecor.exe	88
PID 4968 set thread context of 1488	4968	omsecor.exe	109
PID 2896 set thread context of 4160	2896	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4804	5056	WerFault.exe	82
412	468	WerFault.exe	86
4316	4968	WerFault.exe	108
2456	2896	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3100	5056	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	83
PID 5056 wrote to memory of 3100	5056	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	83
PID 5056 wrote to memory of 3100	5056	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	83
PID 5056 wrote to memory of 3100	5056	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	83
PID 5056 wrote to memory of 3100	5056	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	83
PID 3100 wrote to memory of 468	3100	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	86
PID 3100 wrote to memory of 468	3100	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	86
PID 3100 wrote to memory of 468	3100	f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe	86
PID 468 wrote to memory of 2868	468	omsecor.exe	88
PID 468 wrote to memory of 2868	468	omsecor.exe	88
PID 468 wrote to memory of 2868	468	omsecor.exe	88
PID 468 wrote to memory of 2868	468	omsecor.exe	88
PID 468 wrote to memory of 2868	468	omsecor.exe	88
PID 2868 wrote to memory of 4968	2868	omsecor.exe	108
PID 2868 wrote to memory of 4968	2868	omsecor.exe	108
PID 2868 wrote to memory of 4968	2868	omsecor.exe	108
PID 4968 wrote to memory of 1488	4968	omsecor.exe	109
PID 4968 wrote to memory of 1488	4968	omsecor.exe	109
PID 4968 wrote to memory of 1488	4968	omsecor.exe	109
PID 4968 wrote to memory of 1488	4968	omsecor.exe	109
PID 4968 wrote to memory of 1488	4968	omsecor.exe	109
PID 1488 wrote to memory of 2896	1488	omsecor.exe	111
PID 1488 wrote to memory of 2896	1488	omsecor.exe	111
PID 1488 wrote to memory of 2896	1488	omsecor.exe	111
PID 2896 wrote to memory of 4160	2896	omsecor.exe	113
PID 2896 wrote to memory of 4160	2896	omsecor.exe	113
PID 2896 wrote to memory of 4160	2896	omsecor.exe	113
PID 2896 wrote to memory of 4160	2896	omsecor.exe	113
PID 2896 wrote to memory of 4160	2896	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
"C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
  C:\Users\Admin\AppData\Local\Temp\f9318a57a953b2026f76e7072af47d742ece3f78c9bf0e4ab159b25f3db4f2c5N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 268
        8⤵
        Program crash
        
        PID:2456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 292
        6⤵
        Program crash
        
        PID:4316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 300
      4⤵
      Program crash
      PID:412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 288
  2⤵
  - Program crash
  PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 5056
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 468 -ip 468
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4968 -ip 4968
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2896 -ip 2896
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
6d6b36a1e4f4557fd744fd7e20c106e4

SHA1
fdcd8d4390ceeea58264518a9e2471e265619abd

SHA256
6b1827e2b735f1a6f0fdbbd5dfd74c22cbc52dd1bf277f007b126ec93fc240b1

SHA512
3b8ac393ec365f79785ca89e54d6f9d379829823cb2370beb9ca119de88a9fc46f74a4664ffc8e937274ae50afbb9c3e27ef081fe89156379b17b5f3191eafdf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
237a4f2577e78998d6c839bba61dcdad

SHA1
60350ebe9b8f80a61f8e0239b939414a3b8f17a3

SHA256
bc97d6d04ae87c3b9b0c1bc34aa12af7fb6109559af76145f964d71d160df5e8

SHA512
dc2b0efe3fa95fb4a7bb9eec16a3bc294dfd57d60eda2f948e2f67991a951385cbf22edc5a76c59220509fc0ad8df64cbceedee8aec9d1853359f0882eab03ba

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
ac96dcef4ce3c403fc9a9cbe758ea7b7

SHA1
bbc3a9d85abd7d47f645fe1092a2cdc1d12a32bc

SHA256
9cf110390d68026d565b4f1ca8c7678d85261d5ba98f22eea487d16caaf810a4

SHA512
bb752c3b164431f219170dc6c8dc81e0345c2c24ca75b2354ba826db582d6484ab3a1b7ca37ff681d13450e34a5d65bd1f51203672ec759b33df82a3396e69b1

Download Submit
memory/468-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/468-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1488-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1488-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1488-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2896-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2896-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3100-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3100-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3100-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3100-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4160-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4968-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5056-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5056-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download