neconyd | 89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0

Analysis

max time kernel
115s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Size

134KB
MD5

3d5b3c7cb20af8977f78ccfefb8cc367
SHA1

d0e1ad339d0e8741bb966323522734498e5f81dd
SHA256

89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0
SHA512

c695929ab9ab7fa93ea43d476b5b55bbe586b1b9a559dcfeee641b4f1016f6573d5def299a96eac55815f1d42e6d8138701e324244f695663490401fe2a822ae
SSDEEP

1536:KDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiV:siRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
872	omsecor.exe
1848	omsecor.exe
4660	omsecor.exe
3068	omsecor.exe
232	omsecor.exe
1960	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4588 set thread context of 2176	4588	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 872 set thread context of 1848	872	omsecor.exe	86
PID 4660 set thread context of 3068	4660	omsecor.exe	100
PID 232 set thread context of 1960	232	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1064	4588	WerFault.exe	81
1432	872	WerFault.exe	84
3276	4660	WerFault.exe	99
1852	232	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2176	4588	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 4588 wrote to memory of 2176	4588	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 4588 wrote to memory of 2176	4588	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 4588 wrote to memory of 2176	4588	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 4588 wrote to memory of 2176	4588	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 2176 wrote to memory of 872	2176	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	84
PID 2176 wrote to memory of 872	2176	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	84
PID 2176 wrote to memory of 872	2176	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	84
PID 872 wrote to memory of 1848	872	omsecor.exe	86
PID 872 wrote to memory of 1848	872	omsecor.exe	86
PID 872 wrote to memory of 1848	872	omsecor.exe	86
PID 872 wrote to memory of 1848	872	omsecor.exe	86
PID 872 wrote to memory of 1848	872	omsecor.exe	86
PID 1848 wrote to memory of 4660	1848	omsecor.exe	99
PID 1848 wrote to memory of 4660	1848	omsecor.exe	99
PID 1848 wrote to memory of 4660	1848	omsecor.exe	99
PID 4660 wrote to memory of 3068	4660	omsecor.exe	100
PID 4660 wrote to memory of 3068	4660	omsecor.exe	100
PID 4660 wrote to memory of 3068	4660	omsecor.exe	100
PID 4660 wrote to memory of 3068	4660	omsecor.exe	100
PID 4660 wrote to memory of 3068	4660	omsecor.exe	100
PID 3068 wrote to memory of 232	3068	omsecor.exe	102
PID 3068 wrote to memory of 232	3068	omsecor.exe	102
PID 3068 wrote to memory of 232	3068	omsecor.exe	102
PID 232 wrote to memory of 1960	232	omsecor.exe	104
PID 232 wrote to memory of 1960	232	omsecor.exe	104
PID 232 wrote to memory of 1960	232	omsecor.exe	104
PID 232 wrote to memory of 1960	232	omsecor.exe	104
PID 232 wrote to memory of 1960	232	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
"C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
  C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 256
        8⤵
        Program crash
        
        PID:1852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 292
        6⤵
        Program crash
        
        PID:3276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 288
      4⤵
      Program crash
      PID:1432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 288
  2⤵
  - Program crash
  PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4588 -ip 4588
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 872 -ip 872
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4660 -ip 4660
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 232 -ip 232
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
0440bca0c31d521ab3d38d269b807814

SHA1
5c8d9f7d7cc71daa27f62cb03227a30a0cb6c752

SHA256
b6fb9c1a090a0dcfc5aea523a367cea057321010a17a420659e042ec4c55767c

SHA512
3ff9d25a3529502d95b3d8c87998f514581a2a0c4565f9c30a8bc732978eea562da2d38056aa2e8cb6b1db66506e7b033616788187a5940d6aebc300ce70689d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
529cfc078ce3b52562b16400dd734c8d

SHA1
f3a3708bee97734670490363f99b2ad8c81e811b

SHA256
c6c34050f8ed5ee9dfb5b3aa96e32d1520fc22302deb2c18e54f5a08625a444a

SHA512
72043eb189a8e6af5caf618073693780817a284d7727da911f3638435586aba8b2ac1f296fa7b54ee87230fbd4fe296f6544deeb1b17dcb522806d62e05282c4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
9b2e6dc8efa11311594f1a34a22432b0

SHA1
6de2f2bbe2297c338370a26862add14da6776b04

SHA256
1bf4fc96fb28b25d32984586e428d1546646ba02cd169f5e47d4747f1fdd1a1f

SHA512
7b50891c67677eb81006793d81070ec4f08ce522790e632b2c1d58bfc2d9063f05b00e500ae3dc4a0c0fffd055bb5db9e55507c5d09bdb96d7aef35e61558ba3

Download Submit
memory/232-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/872-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4588-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4588-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4660-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4660-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download