neconyd | c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
Size

96KB
MD5

7beb27f76749602f71e980c0e44bae64
SHA1

dc19c7789d666a544e2ed9d2c35348cbafc3f955
SHA256

c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07
SHA512

ac4815f8b935871d0281d0efc88dae08a84fd6fbfff871019b0bcfeb78a42e7a4463fc9ec68f5e8145d4673a358262db340f583a99b3a534b3c691b4adba3856
SSDEEP

1536:RnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:RGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4032	omsecor.exe
1424	omsecor.exe
808	omsecor.exe
3528	omsecor.exe
4764	omsecor.exe
3508	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3336 set thread context of 4700	3336	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	83
PID 4032 set thread context of 1424	4032	omsecor.exe	87
PID 808 set thread context of 3528	808	omsecor.exe	109
PID 4764 set thread context of 3508	4764	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3104	4032	WerFault.exe	86
1132	3336	WerFault.exe	82
5048	808	WerFault.exe	108
2632	4764	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 4700	3336	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	83
PID 3336 wrote to memory of 4700	3336	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	83
PID 3336 wrote to memory of 4700	3336	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	83
PID 3336 wrote to memory of 4700	3336	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	83
PID 3336 wrote to memory of 4700	3336	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	83
PID 4700 wrote to memory of 4032	4700	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	86
PID 4700 wrote to memory of 4032	4700	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	86
PID 4700 wrote to memory of 4032	4700	c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe	86
PID 4032 wrote to memory of 1424	4032	omsecor.exe	87
PID 4032 wrote to memory of 1424	4032	omsecor.exe	87
PID 4032 wrote to memory of 1424	4032	omsecor.exe	87
PID 4032 wrote to memory of 1424	4032	omsecor.exe	87
PID 4032 wrote to memory of 1424	4032	omsecor.exe	87
PID 1424 wrote to memory of 808	1424	omsecor.exe	108
PID 1424 wrote to memory of 808	1424	omsecor.exe	108
PID 1424 wrote to memory of 808	1424	omsecor.exe	108
PID 808 wrote to memory of 3528	808	omsecor.exe	109
PID 808 wrote to memory of 3528	808	omsecor.exe	109
PID 808 wrote to memory of 3528	808	omsecor.exe	109
PID 808 wrote to memory of 3528	808	omsecor.exe	109
PID 808 wrote to memory of 3528	808	omsecor.exe	109
PID 3528 wrote to memory of 4764	3528	omsecor.exe	111
PID 3528 wrote to memory of 4764	3528	omsecor.exe	111
PID 3528 wrote to memory of 4764	3528	omsecor.exe	111
PID 4764 wrote to memory of 3508	4764	omsecor.exe	113
PID 4764 wrote to memory of 3508	4764	omsecor.exe	113
PID 4764 wrote to memory of 3508	4764	omsecor.exe	113
PID 4764 wrote to memory of 3508	4764	omsecor.exe	113
PID 4764 wrote to memory of 3508	4764	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
"C:\Users\Admin\AppData\Local\Temp\c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
  C:\Users\Admin\AppData\Local\Temp\c05356816d0f5f3a22531257b45dbb56fe15a7d8bcc58142cb5a89040b991d07.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 256
        8⤵
        Program crash
        
        PID:2632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 292
        6⤵
        Program crash
        
        PID:5048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 288
      4⤵
      Program crash
      PID:3104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 292
  2⤵
  - Program crash
  PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3336 -ip 3336
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4032 -ip 4032
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 808 -ip 808
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4764 -ip 4764
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
36289f1131c98000634c94116b97d6b2

SHA1
97162d00eda8deac7ce9af286e92df2a50cdb6ec

SHA256
3af82802c18f8789a1ab5f22ccfb211bd864b6364d46226c3f0bcde331737027

SHA512
3135653f5e670099d4d99a10eccef90ed32b55d1f9e75a52ba9afb57961a7b75648c5671a97b48a635e7d79b86c130ce583f6b0d5d3929893efca7b165502da2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
656fe6742d670e9910a4986e5c53a8cd

SHA1
6ca0e29f3c3082a135cce927c34d36d7e8dcf6d3

SHA256
bb822ac51eba8245e6fc6c8453204ea6a48347ab80a6cb48ca7d1affca7d72bb

SHA512
0b014eccac565b064a47b98ee1edc1a770b490f5ef77d175a2b2407fde718f1c5d10091d151fa4496ae3b2bab615c4e5a864a66532b9b114e498d4179153b7c1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
32cf2c03efb9694521c0d1492b734f6b

SHA1
d39c2be224d95599aa4b554ef0a4083c4dbeb7f7

SHA256
611c4c3abfdaede2e70a3680d4ab2fc07879533c3173570df8b3fb9397298ef3

SHA512
48aabfb05b89f7745cf0e95755e5eb546849eb377f295eb99b7403d433c52f7aa6a361632ea18a82da81d7acabb3336b78e8c8626b2e7994957bc926c1c3e9a2

Download Submit
memory/808-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/808-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1424-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3336-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3336-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3508-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3508-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3508-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3508-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3528-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3528-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3528-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4032-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4700-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4764-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4764-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download