neconyd | 33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218

Analysis

max time kernel
115s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe
Size

134KB
MD5

2d2b896bc5927ae4f546c11a96627120
SHA1

60b22009f42bba5fec83e4e6c6e5e44dcfd4de56
SHA256

33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218
SHA512

a9b0b63aae157717bf4054d4a5028f21040fc8cf33f32dae7cde5656f7203701c92e60e33f9eef55123bf7c3b2eea29528b85b25cae2fb48d044e6fbd7a98b8c
SSDEEP

1536:jDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCin:viRTeH0iqAW6J6f1tqF6dngNmaZCiaG

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2516	omsecor.exe
1716	omsecor.exe
2392	omsecor.exe
1284	omsecor.exe
1536	omsecor.exe
3896	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 1016	4908	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	82
PID 2516 set thread context of 1716	2516	omsecor.exe	86
PID 2392 set thread context of 1284	2392	omsecor.exe	100
PID 1536 set thread context of 3896	1536	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2056	4908	WerFault.exe	81
5016	2516	WerFault.exe	84
4252	2392	WerFault.exe	99
1600	1536	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1016	4908	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	82
PID 4908 wrote to memory of 1016	4908	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	82
PID 4908 wrote to memory of 1016	4908	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	82
PID 4908 wrote to memory of 1016	4908	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	82
PID 4908 wrote to memory of 1016	4908	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	82
PID 1016 wrote to memory of 2516	1016	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	84
PID 1016 wrote to memory of 2516	1016	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	84
PID 1016 wrote to memory of 2516	1016	33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe	84
PID 2516 wrote to memory of 1716	2516	omsecor.exe	86
PID 2516 wrote to memory of 1716	2516	omsecor.exe	86
PID 2516 wrote to memory of 1716	2516	omsecor.exe	86
PID 2516 wrote to memory of 1716	2516	omsecor.exe	86
PID 2516 wrote to memory of 1716	2516	omsecor.exe	86
PID 1716 wrote to memory of 2392	1716	omsecor.exe	99
PID 1716 wrote to memory of 2392	1716	omsecor.exe	99
PID 1716 wrote to memory of 2392	1716	omsecor.exe	99
PID 2392 wrote to memory of 1284	2392	omsecor.exe	100
PID 2392 wrote to memory of 1284	2392	omsecor.exe	100
PID 2392 wrote to memory of 1284	2392	omsecor.exe	100
PID 2392 wrote to memory of 1284	2392	omsecor.exe	100
PID 2392 wrote to memory of 1284	2392	omsecor.exe	100
PID 1284 wrote to memory of 1536	1284	omsecor.exe	102
PID 1284 wrote to memory of 1536	1284	omsecor.exe	102
PID 1284 wrote to memory of 1536	1284	omsecor.exe	102
PID 1536 wrote to memory of 3896	1536	omsecor.exe	104
PID 1536 wrote to memory of 3896	1536	omsecor.exe	104
PID 1536 wrote to memory of 3896	1536	omsecor.exe	104
PID 1536 wrote to memory of 3896	1536	omsecor.exe	104
PID 1536 wrote to memory of 3896	1536	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe
"C:\Users\Admin\AppData\Local\Temp\33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe
  C:\Users\Admin\AppData\Local\Temp\33cf1c4378fdc3eb723766756999531f79550f8e2f00211347500ad884d22218N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 256
        8⤵
        Program crash
        
        PID:1600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 292
        6⤵
        Program crash
        
        PID:4252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 300
      4⤵
      Program crash
      PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 300
  2⤵
  - Program crash
  PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2516 -ip 2516
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2392 -ip 2392
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1536 -ip 1536
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
39b3e294b42314f43812c1680978031c

SHA1
608962789c8052d5efcc7ad99b51f12cf8f7e75c

SHA256
3b3358a226e41adde290437b98831faa9ef96a6dc836acf63e7189dccd891d45

SHA512
ec1dadcea6e446f85fcc7e0b1f56090d213ef7f3a712e890997f61c3cf3fa1f239f22b1e61d7472735a639c8038886c13fb751b473015b05e8e5f8f414266094

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
1e810c045c762f11d7f27fc8e62a6798

SHA1
42640344750760c70e71bf67828850a6993a3b76

SHA256
386fa0475cff792cfb34afcaa9ade0729a3964edb36ad893197d5176ba97d032

SHA512
b6cfd948e6872271985262614a2500913d99dbfda8e051cbb7b5f3b488f9faf2419041b03fe86ba397dee27a84e530e561bfea1a4acf0fca09e181543bb9d48f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
b3807a002749481d9b64ac650b262426

SHA1
a9e9b26d906ea67c3ae2c689bf2137f4552d16b6

SHA256
de775b9f21df2ce181d254783f3cab29e020e0a479ea6351d009f740206dcd06

SHA512
0951cb0ba3b5d59787c86e240ac4bbfd10bc677232f217255e2e7da1efdcdb07dbad935847021cea650add49bf072b7246188cd898bb92c4e3b611d51830a06e

Download Submit
memory/1016-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1016-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1016-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1016-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1536-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1716-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2392-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2516-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3896-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3896-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3896-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4908-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download