neconyd | 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0

Resubmissions

21-01-2025 13:23

250121-qm6f9awmck 10

21-01-2025 13:09

250121-qd933svrer 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Size

96KB
MD5

f52b87b3a347a98aaa214c53bbf3e320
SHA1

88f7e62d9b4acbb8b1a34c6c91929f4565797b4e
SHA256

123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0
SHA512

75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2060	omsecor.exe
3624	omsecor.exe
3320	omsecor.exe
2832	omsecor.exe
4356	omsecor.exe
4940	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 2152	2988	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 2060 set thread context of 3624	2060	omsecor.exe	87
PID 3320 set thread context of 2832	3320	omsecor.exe	109
PID 4356 set thread context of 4940	4356	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3996	2988	WerFault.exe	82
5112	2060	WerFault.exe	85
2472	3320	WerFault.exe	108
2948	4356	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2152	2988	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 2988 wrote to memory of 2152	2988	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 2988 wrote to memory of 2152	2988	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 2988 wrote to memory of 2152	2988	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 2988 wrote to memory of 2152	2988	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	83
PID 2152 wrote to memory of 2060	2152	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	85
PID 2152 wrote to memory of 2060	2152	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	85
PID 2152 wrote to memory of 2060	2152	123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe	85
PID 2060 wrote to memory of 3624	2060	omsecor.exe	87
PID 2060 wrote to memory of 3624	2060	omsecor.exe	87
PID 2060 wrote to memory of 3624	2060	omsecor.exe	87
PID 2060 wrote to memory of 3624	2060	omsecor.exe	87
PID 2060 wrote to memory of 3624	2060	omsecor.exe	87
PID 3624 wrote to memory of 3320	3624	omsecor.exe	108
PID 3624 wrote to memory of 3320	3624	omsecor.exe	108
PID 3624 wrote to memory of 3320	3624	omsecor.exe	108
PID 3320 wrote to memory of 2832	3320	omsecor.exe	109
PID 3320 wrote to memory of 2832	3320	omsecor.exe	109
PID 3320 wrote to memory of 2832	3320	omsecor.exe	109
PID 3320 wrote to memory of 2832	3320	omsecor.exe	109
PID 3320 wrote to memory of 2832	3320	omsecor.exe	109
PID 2832 wrote to memory of 4356	2832	omsecor.exe	111
PID 2832 wrote to memory of 4356	2832	omsecor.exe	111
PID 2832 wrote to memory of 4356	2832	omsecor.exe	111
PID 4356 wrote to memory of 4940	4356	omsecor.exe	113
PID 4356 wrote to memory of 4940	4356	omsecor.exe	113
PID 4356 wrote to memory of 4940	4356	omsecor.exe	113
PID 4356 wrote to memory of 4940	4356	omsecor.exe	113
PID 4356 wrote to memory of 4940	4356	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
"C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
  C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 256
        8⤵
        Program crash
        
        PID:2948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 296
        6⤵
        Program crash
        
        PID:2472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 288
      4⤵
      Program crash
      PID:5112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 288
  2⤵
  - Program crash
  PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2988 -ip 2988
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2060 -ip 2060
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3320 -ip 3320
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4356 -ip 4356
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3ed580a195e52b712ad98701276f22d8

SHA1
fdba91bb0cdfcd6f2f65fb551baa744d98b634c6

SHA256
8e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682

SHA512
acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
744d190cfabe3ba735603a2514be60ff

SHA1
c9c6fce7640041d4923b1733693f63f07d521e19

SHA256
a89a85d0270b534c1b231aeb5091f82f05d0f87b6c09695cfa444e98f4b22704

SHA512
5444d14dc2569d988710aa3c38285f811cdd3cca023f64ce824fa15c74fadf0f21fe3d51da60e39c340e8ff463905ca6c16493655f8ea0cc17c71745fcca7767

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9e89b98eb428c54e3fd8f7780d67def5

SHA1
a56598394d50df738713f3473d4fd9413c5f3e29

SHA256
8492c242a39e50d2198f068ae73ece94d5126d7aa40f9050c50290603c6b67cb

SHA512
657071ff4f8d695f523918b75fd4263ac71117eff8ed9f8236aaa218240661903dfbc35f76d02e1cba106629cfcf3312cbf26a75b12e5a6882e829fc51c6eac0

Download Submit
memory/2060-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2988-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2988-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3320-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3320-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3624-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3624-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4356-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4940-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4940-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4940-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4940-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download