neconyd | e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
Size

96KB
MD5

e7b21e143f78b089835bb83b0d883cd3
SHA1

b7dcac827c045891b15108cc070b14e40d4defa0
SHA256

e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b
SHA512

e3df15543382a0bfad4907ab39921afcad4eb31d82195fcdc2b97bad1c18ac3e4b970cd65f1dd32a62126e3869293bb4d8cf915f6cc6c8cd2cc4925d41c77b74
SSDEEP

1536:MnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:MGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1380	omsecor.exe
3596	omsecor.exe
3676	omsecor.exe
2128	omsecor.exe
2840	omsecor.exe
540	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 1172	1564	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	83
PID 1380 set thread context of 3596	1380	omsecor.exe	88
PID 3676 set thread context of 2128	3676	omsecor.exe	107
PID 2840 set thread context of 540	2840	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3652	1564	WerFault.exe	82
1692	1380	WerFault.exe	85
4904	3676	WerFault.exe	106
4304	2840	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1172	1564	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	83
PID 1564 wrote to memory of 1172	1564	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	83
PID 1564 wrote to memory of 1172	1564	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	83
PID 1564 wrote to memory of 1172	1564	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	83
PID 1564 wrote to memory of 1172	1564	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	83
PID 1172 wrote to memory of 1380	1172	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	85
PID 1172 wrote to memory of 1380	1172	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	85
PID 1172 wrote to memory of 1380	1172	e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe	85
PID 1380 wrote to memory of 3596	1380	omsecor.exe	88
PID 1380 wrote to memory of 3596	1380	omsecor.exe	88
PID 1380 wrote to memory of 3596	1380	omsecor.exe	88
PID 1380 wrote to memory of 3596	1380	omsecor.exe	88
PID 1380 wrote to memory of 3596	1380	omsecor.exe	88
PID 3596 wrote to memory of 3676	3596	omsecor.exe	106
PID 3596 wrote to memory of 3676	3596	omsecor.exe	106
PID 3596 wrote to memory of 3676	3596	omsecor.exe	106
PID 3676 wrote to memory of 2128	3676	omsecor.exe	107
PID 3676 wrote to memory of 2128	3676	omsecor.exe	107
PID 3676 wrote to memory of 2128	3676	omsecor.exe	107
PID 3676 wrote to memory of 2128	3676	omsecor.exe	107
PID 3676 wrote to memory of 2128	3676	omsecor.exe	107
PID 2128 wrote to memory of 2840	2128	omsecor.exe	109
PID 2128 wrote to memory of 2840	2128	omsecor.exe	109
PID 2128 wrote to memory of 2840	2128	omsecor.exe	109
PID 2840 wrote to memory of 540	2840	omsecor.exe	111
PID 2840 wrote to memory of 540	2840	omsecor.exe	111
PID 2840 wrote to memory of 540	2840	omsecor.exe	111
PID 2840 wrote to memory of 540	2840	omsecor.exe	111
PID 2840 wrote to memory of 540	2840	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
"C:\Users\Admin\AppData\Local\Temp\e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
  C:\Users\Admin\AppData\Local\Temp\e87a33f1888aedfb70f3158b0612a43d38bc5246baa68f9bd99f3b2f29811d5b.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 244
        8⤵
        Program crash
        
        PID:4304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 292
        6⤵
        Program crash
        
        PID:4904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 288
      4⤵
      Program crash
      PID:1692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 300
  2⤵
  - Program crash
  PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1564 -ip 1564
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1380 -ip 1380
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3676 -ip 3676
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2840 -ip 2840
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
88a2a7a837f5dba6645c2b32c9ec5b62

SHA1
8b586fe8192128c6b5dbd19909a8d826e64169f7

SHA256
e555359ec79944e174eb60d6b1a5d47b32ac6bf17f360968e4ee830ac7cc2768

SHA512
75903120da37982058da3b09464c1996be6a1dd04c6da76d28674f07f636a6e741ac772c5b199c8330a0c6af76f983b23ed255ae9334265711be2ec25ab1fd7f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
585c4c9ea357839b6a04a1f249825846

SHA1
55710355c7a2262982cfb6ea516d97f848f75579

SHA256
324a22efaf6c5d5a293c5a0bc0637fa33d24ce9977e5a9745d4814b645c4750b

SHA512
8d73a9befb3021da72acac21087fa8bccc11caccc60e974732c0dc994ad4106262ae7bc90e89632bb8f43df3d643296999da0d4641199eb891b36b15082aca36

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
05af7b5446f2a5bd79dd5882b6668c2d

SHA1
66fac4f78938fe8d58eb3eb573133eeec15aacee

SHA256
0dfd5d90852c997c71d65806cf15881b3f6fb257855543f16d788db7564b08c3

SHA512
b301a5d88670965eac4eb704f3a6f8e273dd157513efd9695a6629305872e196821dc390e9faddede1aee0a7a65ec11ed923d53d10a08dfdb2eac4dd8bd27687

Download Submit
memory/540-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1172-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1172-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1172-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1172-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1380-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1564-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1564-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2128-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3596-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3596-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3596-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3596-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3596-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3596-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3596-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3676-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3676-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download