neconyd | cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe
Size

96KB
MD5

41aee7ba2ed1d13c4a4850a14b24f380
SHA1

563f3f4333416ec0701e7ca26e5f7088572e70f5
SHA256

cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390
SHA512

231984c5f4e7563b028afbdc218fc5625ed392b1e2c9a85a11c5587b444bc5ac8b726656a232416550ab00edaf965aa962bbf016cc5034340dbe1257b7f1b156
SSDEEP

1536:QnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:QGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
964	omsecor.exe
772	omsecor.exe
3624	omsecor.exe
4124	omsecor.exe
2260	omsecor.exe
4576	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 4792	3048	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	83
PID 964 set thread context of 772	964	omsecor.exe	88
PID 3624 set thread context of 4124	3624	omsecor.exe	101
PID 2260 set thread context of 4576	2260	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1888	3048	WerFault.exe	82
1152	964	WerFault.exe	85
1804	3624	WerFault.exe	100
2376	2260	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4792	3048	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	83
PID 3048 wrote to memory of 4792	3048	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	83
PID 3048 wrote to memory of 4792	3048	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	83
PID 3048 wrote to memory of 4792	3048	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	83
PID 3048 wrote to memory of 4792	3048	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	83
PID 4792 wrote to memory of 964	4792	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	85
PID 4792 wrote to memory of 964	4792	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	85
PID 4792 wrote to memory of 964	4792	cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe	85
PID 964 wrote to memory of 772	964	omsecor.exe	88
PID 964 wrote to memory of 772	964	omsecor.exe	88
PID 964 wrote to memory of 772	964	omsecor.exe	88
PID 964 wrote to memory of 772	964	omsecor.exe	88
PID 964 wrote to memory of 772	964	omsecor.exe	88
PID 772 wrote to memory of 3624	772	omsecor.exe	100
PID 772 wrote to memory of 3624	772	omsecor.exe	100
PID 772 wrote to memory of 3624	772	omsecor.exe	100
PID 3624 wrote to memory of 4124	3624	omsecor.exe	101
PID 3624 wrote to memory of 4124	3624	omsecor.exe	101
PID 3624 wrote to memory of 4124	3624	omsecor.exe	101
PID 3624 wrote to memory of 4124	3624	omsecor.exe	101
PID 3624 wrote to memory of 4124	3624	omsecor.exe	101
PID 4124 wrote to memory of 2260	4124	omsecor.exe	103
PID 4124 wrote to memory of 2260	4124	omsecor.exe	103
PID 4124 wrote to memory of 2260	4124	omsecor.exe	103
PID 2260 wrote to memory of 4576	2260	omsecor.exe	104
PID 2260 wrote to memory of 4576	2260	omsecor.exe	104
PID 2260 wrote to memory of 4576	2260	omsecor.exe	104
PID 2260 wrote to memory of 4576	2260	omsecor.exe	104
PID 2260 wrote to memory of 4576	2260	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe
"C:\Users\Admin\AppData\Local\Temp\cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe
  C:\Users\Admin\AppData\Local\Temp\cea82711c690c0f7609908ff9c2458ab95499dea52f7ff7ff23ed710a39c6390N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 256
        8⤵
        Program crash
        
        PID:2376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 292
        6⤵
        Program crash
        
        PID:1804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 288
      4⤵
      Program crash
      PID:1152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 300
  2⤵
  - Program crash
  PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3048 -ip 3048
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 964 -ip 964
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3624 -ip 3624
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2260 -ip 2260
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8cbccb0a96b44c018ac121396b67ce7e

SHA1
875cf88e990e099528b7a2154b0d4080c9e1368a

SHA256
77f2d0940dfce3e9b2247cfb2645983ad7d03d3f830e9b5b88f65fd180c083a2

SHA512
2ac41023e4211b58d222d100378acef09708b6ae35f1f45874b46a5ea7fbd8e778bf242ba4e6e9748dc26fab4874ea4f1ccfc75bc1550f25eb18d6e294ed587a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4e8eb77d959d91eaf77aad451418f2dc

SHA1
6079a63b84ee2bc293502db4967b5a3c342e8f63

SHA256
1af3326188f307d899face620b9f4f61f8401e60f0ad8161313713698034c3ba

SHA512
559f0413b364f9598565ce40d6afea650b0326a2ce87650144429eb3ad9e31c44e99caf74f5fa3b478e1b01f77ca232b095808a6dcdad8232e25d447e389c562

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
296ba38d1dd63bdd04960c4aba2eebb4

SHA1
87487456bf6e14707f9cada07dfcaed51707aa49

SHA256
176b5e7faf08362fd5510f3ff5424d2f9c01ad4cd50deaa50d73304df02fc9fc

SHA512
316c2e29ba974ecb4aeb76d150d6d3af8d1d9edede7fc306be8693005c4d680b40c41a00f010725b36e94e103d45267d7026ee53e2f63221697e0aea4208db08

Download Submit
memory/772-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2260-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3048-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3048-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3624-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3624-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4124-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4124-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4124-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4792-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4792-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4792-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4792-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download