neconyd | 89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Size

134KB
MD5

3d5b3c7cb20af8977f78ccfefb8cc367
SHA1

d0e1ad339d0e8741bb966323522734498e5f81dd
SHA256

89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0
SHA512

c695929ab9ab7fa93ea43d476b5b55bbe586b1b9a559dcfeee641b4f1016f6573d5def299a96eac55815f1d42e6d8138701e324244f695663490401fe2a822ae
SSDEEP

1536:KDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiV:siRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3928	omsecor.exe
5048	omsecor.exe
3108	omsecor.exe
1768	omsecor.exe
4336	omsecor.exe
1972	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4088 set thread context of 2628	4088	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 3928 set thread context of 5048	3928	omsecor.exe	86
PID 3108 set thread context of 1768	3108	omsecor.exe	100
PID 4336 set thread context of 1972	4336	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3572	3928	WerFault.exe	84
2180	4088	WerFault.exe	81
1656	3108	WerFault.exe	99
4516	4336	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2628	4088	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 4088 wrote to memory of 2628	4088	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 4088 wrote to memory of 2628	4088	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 4088 wrote to memory of 2628	4088	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 4088 wrote to memory of 2628	4088	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	82
PID 2628 wrote to memory of 3928	2628	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	84
PID 2628 wrote to memory of 3928	2628	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	84
PID 2628 wrote to memory of 3928	2628	89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe	84
PID 3928 wrote to memory of 5048	3928	omsecor.exe	86
PID 3928 wrote to memory of 5048	3928	omsecor.exe	86
PID 3928 wrote to memory of 5048	3928	omsecor.exe	86
PID 3928 wrote to memory of 5048	3928	omsecor.exe	86
PID 3928 wrote to memory of 5048	3928	omsecor.exe	86
PID 5048 wrote to memory of 3108	5048	omsecor.exe	99
PID 5048 wrote to memory of 3108	5048	omsecor.exe	99
PID 5048 wrote to memory of 3108	5048	omsecor.exe	99
PID 3108 wrote to memory of 1768	3108	omsecor.exe	100
PID 3108 wrote to memory of 1768	3108	omsecor.exe	100
PID 3108 wrote to memory of 1768	3108	omsecor.exe	100
PID 3108 wrote to memory of 1768	3108	omsecor.exe	100
PID 3108 wrote to memory of 1768	3108	omsecor.exe	100
PID 1768 wrote to memory of 4336	1768	omsecor.exe	102
PID 1768 wrote to memory of 4336	1768	omsecor.exe	102
PID 1768 wrote to memory of 4336	1768	omsecor.exe	102
PID 4336 wrote to memory of 1972	4336	omsecor.exe	104
PID 4336 wrote to memory of 1972	4336	omsecor.exe	104
PID 4336 wrote to memory of 1972	4336	omsecor.exe	104
PID 4336 wrote to memory of 1972	4336	omsecor.exe	104
PID 4336 wrote to memory of 1972	4336	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
"C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
  C:\Users\Admin\AppData\Local\Temp\89e80795c52ddf6c44ed982257da893c4edb18f2b71e46ec9d0564c09f787dd0.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 256
        8⤵
        Program crash
        
        PID:4516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 292
        6⤵
        Program crash
        
        PID:1656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 304
      4⤵
      Program crash
      PID:3572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 288
  2⤵
  - Program crash
  PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4088 -ip 4088
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3928 -ip 3928
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3108 -ip 3108
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4336 -ip 4336
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d0be8fbeaf39736de99c029f433e99e2

SHA1
d272608d3c4fd8067307ad9a5d13b6cf91e7073e

SHA256
c1367ca31b3a9b06198e33af357b4cb6a0638f2f69d58a2e58bfed52e9fde623

SHA512
0c0d1604f38da2264af911e21e9dc6948a6debbc1366a4d89acfee57b000738e3aceb391b2704fd2edb193773143fd96e23802432423a49ecc55d2ec02cadd0b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
529cfc078ce3b52562b16400dd734c8d

SHA1
f3a3708bee97734670490363f99b2ad8c81e811b

SHA256
c6c34050f8ed5ee9dfb5b3aa96e32d1520fc22302deb2c18e54f5a08625a444a

SHA512
72043eb189a8e6af5caf618073693780817a284d7727da911f3638435586aba8b2ac1f296fa7b54ee87230fbd4fe296f6544deeb1b17dcb522806d62e05282c4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
a8914f16b78f6d0f1f5bfa2fefaaff86

SHA1
0d845908c982e1d8a49be9e6017ef8e0fa7fb36a

SHA256
5e114b3f95c0cf6f39b137342a76e1a72d4a612c165f7eb2fc8aea7890bd1899

SHA512
2a25aece2983a9a712f633eca277d248c18a3d0933106d9e9971e3c83054e6919cc58df707393d0e7060b6775119d2fea6522454f78f47dfd687d6ff6ba9deda

Download Submit
memory/1768-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1768-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1768-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3108-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3108-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3928-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3928-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4088-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4088-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4336-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5048-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download