neconyd | 92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
Size

96KB
MD5

7f41359706a5ba9171426ed05726b543
SHA1

4f18457e3a7b8ef31c19e710c2715848c88a9513
SHA256

92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924
SHA512

c98a04eb685ad7a5fde0cd4212ecec35f66c7835abfe7602a40673098855384e54492cd3fe693fe4aff5144b72fddbbe826085dc1d00ee5fa7a64aa4feb3e557
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:zGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2256	omsecor.exe
1524	omsecor.exe
2752	omsecor.exe
2852	omsecor.exe
2712	omsecor.exe
4368	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 2896	952	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	83
PID 2256 set thread context of 1524	2256	omsecor.exe	87
PID 2752 set thread context of 2852	2752	omsecor.exe	109
PID 2712 set thread context of 4368	2712	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1840	952	WerFault.exe	81
232	2256	WerFault.exe	85
2324	2752	WerFault.exe	108
3076	2712	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 2896	952	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	83
PID 952 wrote to memory of 2896	952	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	83
PID 952 wrote to memory of 2896	952	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	83
PID 952 wrote to memory of 2896	952	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	83
PID 952 wrote to memory of 2896	952	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	83
PID 2896 wrote to memory of 2256	2896	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	85
PID 2896 wrote to memory of 2256	2896	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	85
PID 2896 wrote to memory of 2256	2896	92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe	85
PID 2256 wrote to memory of 1524	2256	omsecor.exe	87
PID 2256 wrote to memory of 1524	2256	omsecor.exe	87
PID 2256 wrote to memory of 1524	2256	omsecor.exe	87
PID 2256 wrote to memory of 1524	2256	omsecor.exe	87
PID 2256 wrote to memory of 1524	2256	omsecor.exe	87
PID 1524 wrote to memory of 2752	1524	omsecor.exe	108
PID 1524 wrote to memory of 2752	1524	omsecor.exe	108
PID 1524 wrote to memory of 2752	1524	omsecor.exe	108
PID 2752 wrote to memory of 2852	2752	omsecor.exe	109
PID 2752 wrote to memory of 2852	2752	omsecor.exe	109
PID 2752 wrote to memory of 2852	2752	omsecor.exe	109
PID 2752 wrote to memory of 2852	2752	omsecor.exe	109
PID 2752 wrote to memory of 2852	2752	omsecor.exe	109
PID 2852 wrote to memory of 2712	2852	omsecor.exe	111
PID 2852 wrote to memory of 2712	2852	omsecor.exe	111
PID 2852 wrote to memory of 2712	2852	omsecor.exe	111
PID 2712 wrote to memory of 4368	2712	omsecor.exe	113
PID 2712 wrote to memory of 4368	2712	omsecor.exe	113
PID 2712 wrote to memory of 4368	2712	omsecor.exe	113
PID 2712 wrote to memory of 4368	2712	omsecor.exe	113
PID 2712 wrote to memory of 4368	2712	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
"C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
  C:\Users\Admin\AppData\Local\Temp\92a53c1b1d52b6b4035fabe196673f8b657f8f9389d94ea7b160978c9445e924.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 256
        8⤵
        Program crash
        
        PID:3076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 292
        6⤵
        Program crash
        
        PID:2324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 288
      4⤵
      Program crash
      PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 288
  2⤵
  - Program crash
  PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 952
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2256 -ip 2256
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2752 -ip 2752
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2712 -ip 2712
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e5a6576807938cf6b35bc76e0abba07a

SHA1
dda4fe19ecf9da4e251a6f5b1846c01e7135fdf6

SHA256
e0ccfea697214a97d6a41af4d8ec69da52843df65cace7a35cfe54d71eb78c10

SHA512
564e977ccf2a109ca9a65e3e0f1f55436f2e68322a87ef8d6650c51ce3eae1b13f34c57def49d3c1492e9f30fc4bf540b29f85d3fd969cf2bd581361aa5ed14d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b0fa627110c763983771f77ddc32f0db

SHA1
1c206c583dd616f3bd606300380c092b68f813fe

SHA256
aad3f25bb9f6531c5da307ba9b60b4d4a2fbcdd26ef3f51d326ebb09c937fd5f

SHA512
471d758c3f50ed9a9fd51ba6e5bb3da884f08a193d533aba06bbb80d35220d08291fd5b915521e235387256a538483eb0d84f855e60339cc46834764e3113923

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
a195654103d913f9ad34f327d3e91550

SHA1
9f75d9cbc2a09443ff5c835d14b812f0ed58d59e

SHA256
5d4ec35d2e727be265a1e1142d2b17ea572ede126a8103bbca409663443a81ba

SHA512
bc881e96b2e91132d99d55522300c0f9196fa434a4e59931fb801e5351ac8176a0f62502b8936d92d914571734ff67012501f994024c7dcc3756a36c6e1282f4

Download Submit
memory/952-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/952-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2256-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2256-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2712-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2712-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2752-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2752-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2896-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2896-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2896-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2896-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4368-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4368-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4368-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download