neconyd | ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe
Size

96KB
MD5

bcadd7ede953fb864ee8f439ee7c351c
SHA1

11c74f41f410b1ef09c5415932e1987745e2c1ff
SHA256

ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965
SHA512

6ffc1b7b2255a794109bbe066b454fe78db966230ac045512b234d349d912492125b193575941175c155e13d61319f560c119528661fa1580c090baa241de99f
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:UGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
5104	omsecor.exe
3944	omsecor.exe
696	omsecor.exe
3544	omsecor.exe
2728	omsecor.exe
1516	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 4768	4808	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	83
PID 5104 set thread context of 3944	5104	omsecor.exe	88
PID 696 set thread context of 3544	696	omsecor.exe	108
PID 2728 set thread context of 1516	2728	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3516	4808	WerFault.exe	82
736	5104	WerFault.exe	86
1380	696	WerFault.exe	107
3868	2728	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4768	4808	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	83
PID 4808 wrote to memory of 4768	4808	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	83
PID 4808 wrote to memory of 4768	4808	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	83
PID 4808 wrote to memory of 4768	4808	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	83
PID 4808 wrote to memory of 4768	4808	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	83
PID 4768 wrote to memory of 5104	4768	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	86
PID 4768 wrote to memory of 5104	4768	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	86
PID 4768 wrote to memory of 5104	4768	ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe	86
PID 5104 wrote to memory of 3944	5104	omsecor.exe	88
PID 5104 wrote to memory of 3944	5104	omsecor.exe	88
PID 5104 wrote to memory of 3944	5104	omsecor.exe	88
PID 5104 wrote to memory of 3944	5104	omsecor.exe	88
PID 5104 wrote to memory of 3944	5104	omsecor.exe	88
PID 3944 wrote to memory of 696	3944	omsecor.exe	107
PID 3944 wrote to memory of 696	3944	omsecor.exe	107
PID 3944 wrote to memory of 696	3944	omsecor.exe	107
PID 696 wrote to memory of 3544	696	omsecor.exe	108
PID 696 wrote to memory of 3544	696	omsecor.exe	108
PID 696 wrote to memory of 3544	696	omsecor.exe	108
PID 696 wrote to memory of 3544	696	omsecor.exe	108
PID 696 wrote to memory of 3544	696	omsecor.exe	108
PID 3544 wrote to memory of 2728	3544	omsecor.exe	110
PID 3544 wrote to memory of 2728	3544	omsecor.exe	110
PID 3544 wrote to memory of 2728	3544	omsecor.exe	110
PID 2728 wrote to memory of 1516	2728	omsecor.exe	112
PID 2728 wrote to memory of 1516	2728	omsecor.exe	112
PID 2728 wrote to memory of 1516	2728	omsecor.exe	112
PID 2728 wrote to memory of 1516	2728	omsecor.exe	112
PID 2728 wrote to memory of 1516	2728	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe
"C:\Users\Admin\AppData\Local\Temp\ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe
  C:\Users\Admin\AppData\Local\Temp\ab6aa14e5b2c300254ab78cb709ad3f1a4eede68f99d5273a25873cb0beda965.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:696
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 268
        8⤵
        Program crash
        
        PID:3868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 292
        6⤵
        Program crash
        
        PID:1380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 296
      4⤵
      Program crash
      PID:736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 288
  2⤵
  - Program crash
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4808 -ip 4808
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5104 -ip 5104
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 696 -ip 696
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2728 -ip 2728
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
85c4b9105ad4bcbdddf3fd5fd38c13c6

SHA1
5f43f6e3e598332a2bf72b2ac79d609c325b73fb

SHA256
69bb35fcf0607bc7244fc040f22fb6d11fdefdae6ad03adbdb3a6ef774af6225

SHA512
5d284e5040eaad088e7c27158bedb4839efc492b9db8f65f1ba798b956edd97853052cfbbcac1a9536a6b87622c7b5ab9de7ef6c719f09c84128e9099de384c8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3249450dc5889b11e37ee8f4998819eb

SHA1
83725352fce432ddb519eb3401bce429fab1ad34

SHA256
79dce641855a66f15b05afd1f56a8e6a01d5373b05040bca9f72167b02744ce0

SHA512
aa649c8e04592fb8a18ec28c9c84dee0f16e3d66b38e61defd85ef99e98712f484a986b0350cc90ce7fcbe459213653517f7e572ce3b8a3eaa49fe70746b9f65

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7f00c0a603c6cc90503b06647a3273c0

SHA1
a315210f792b6419b95940191e3980087cd31a5a

SHA256
b033f33f09211124438add01c477926fcf8b05e35e065645b2e9e68bf1d41ba6

SHA512
6745e5d8d0af11c5c5b92e0918c6cffada9450f446cb0a6b633fa5ff0896afc25921d7a879bc777fc53e261962c6796be7b17f8857e9c2aa525521b0f0188176

Download Submit
memory/696-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/696-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1516-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1516-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1516-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2728-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3544-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3544-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3544-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4768-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4768-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4768-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4768-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4808-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4808-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5104-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5104-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download