neconyd | c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092f

Analysis

max time kernel
112s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe
Size

134KB
MD5

78ab1ab55e6cba2f58c3cbf80034dcf0
SHA1

0a77873b7c66155905fd3e7fbcb69b6ce6f1b1a8
SHA256

c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092f
SHA512

2a88ac487cee2dcf3d0ac9127a045cc9de07d3e75fe53a069f7c910030b345885877d3344219fe5fc7cda40da51ec2502a151e0a9f8165c469ba3a49555e9290
SSDEEP

1536:8DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:iiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1924	omsecor.exe
4904	omsecor.exe
964	omsecor.exe
1416	omsecor.exe
1756	omsecor.exe
2236	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3972 set thread context of 3568	3972	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	84
PID 1924 set thread context of 4904	1924	omsecor.exe	89
PID 964 set thread context of 1416	964	omsecor.exe	102
PID 1756 set thread context of 2236	1756	omsecor.exe	106

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3840	3972	WerFault.exe	83
2648	1924	WerFault.exe	87
2096	964	WerFault.exe	101
2868	1756	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 3568	3972	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	84
PID 3972 wrote to memory of 3568	3972	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	84
PID 3972 wrote to memory of 3568	3972	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	84
PID 3972 wrote to memory of 3568	3972	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	84
PID 3972 wrote to memory of 3568	3972	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	84
PID 3568 wrote to memory of 1924	3568	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	87
PID 3568 wrote to memory of 1924	3568	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	87
PID 3568 wrote to memory of 1924	3568	c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe	87
PID 1924 wrote to memory of 4904	1924	omsecor.exe	89
PID 1924 wrote to memory of 4904	1924	omsecor.exe	89
PID 1924 wrote to memory of 4904	1924	omsecor.exe	89
PID 1924 wrote to memory of 4904	1924	omsecor.exe	89
PID 1924 wrote to memory of 4904	1924	omsecor.exe	89
PID 4904 wrote to memory of 964	4904	omsecor.exe	101
PID 4904 wrote to memory of 964	4904	omsecor.exe	101
PID 4904 wrote to memory of 964	4904	omsecor.exe	101
PID 964 wrote to memory of 1416	964	omsecor.exe	102
PID 964 wrote to memory of 1416	964	omsecor.exe	102
PID 964 wrote to memory of 1416	964	omsecor.exe	102
PID 964 wrote to memory of 1416	964	omsecor.exe	102
PID 964 wrote to memory of 1416	964	omsecor.exe	102
PID 1416 wrote to memory of 1756	1416	omsecor.exe	104
PID 1416 wrote to memory of 1756	1416	omsecor.exe	104
PID 1416 wrote to memory of 1756	1416	omsecor.exe	104
PID 1756 wrote to memory of 2236	1756	omsecor.exe	106
PID 1756 wrote to memory of 2236	1756	omsecor.exe	106
PID 1756 wrote to memory of 2236	1756	omsecor.exe	106
PID 1756 wrote to memory of 2236	1756	omsecor.exe	106
PID 1756 wrote to memory of 2236	1756	omsecor.exe	106

C:\Users\Admin\AppData\Local\Temp\c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe
"C:\Users\Admin\AppData\Local\Temp\c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe
  C:\Users\Admin\AppData\Local\Temp\c4ec4fd3c30234c2555c9dbeb792980b80b1ae2871ecaf55a964ce3e9ff5092fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 256
        8⤵
        Program crash
        
        PID:2868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 292
        6⤵
        Program crash
        
        PID:2096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 288
      4⤵
      Program crash
      PID:2648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 288
  2⤵
  - Program crash
  PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3972 -ip 3972
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1924 -ip 1924
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 964 -ip 964
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1756 -ip 1756
1⤵
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8d371aa8996ff61728fb4484d49e3e27

SHA1
f5cc2177905750474968b585113d0c2836e5645a

SHA256
244488923ee095070faf3c20f6b64b08f77e3fb1febffcc5ffc248e6e6268fef

SHA512
941c8b3e58042efe2a3cc192d966e134014a2e83766124a95cc653731ffeb332472f6003b40f87813709b9060305aa44dc0c568b38f9fdc08dd58cddc2f4fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
c4a76c6bb103b7e28fc3477b5dd00f6e

SHA1
e9593f885c78d1fe28deea63fed227321e83f956

SHA256
97243b68b8e018cd6e31738455e69ead11e4f27d2826d4fe476f2bc879dd9c5d

SHA512
fdbbb4cafe5128e4932fcf82a3c08994fb4c45c27a3e00f4b9503fa2db6a3b7226105829acb1e4b4944f21a858812ad3d4af37b080c88391b8275e9f752d1728

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
805f32b02deccc57e0b187b52c7744e6

SHA1
d7db8774289863bd66667063dcaa166c9a8b1147

SHA256
ac2cb28d1ecefa8e9efa9ed766babad5bc058fd83ac0d3304da155dab49d53e2

SHA512
c7ca4882d86c59eeb5426204c4bad6a378606d1d9a54254f67b56a7347e1657b36d8bebd0c5d978c860bc428fb3986e92fa640926383d8d0235e4bdf7670cfc2

Download Submit
memory/964-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/964-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1416-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1416-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1416-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1924-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1924-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2236-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3568-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3568-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3568-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3568-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3972-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3972-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4904-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4904-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4904-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4904-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4904-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4904-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4904-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download