neconyd | 4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Size

96KB
MD5

20506b8e84787159e0193acda0990e3e
SHA1

10f672fd1f6a2041184ba0e6494250bb78dd8da9
SHA256

4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e
SHA512

5caac43d66d54db0b9070d4329c6b14a48e63cea467c046f9be26167dcd23c49dbdf0e3e4bb2b85b12120621b087291f728dbce68398c7903a5bb92798f8ee82
SSDEEP

1536:FnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:FGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1368	omsecor.exe
3656	omsecor.exe
4048	omsecor.exe
3860	omsecor.exe
4928	omsecor.exe
4696	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 680 set thread context of 1732	680	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	83
PID 1368 set thread context of 3656	1368	omsecor.exe	88
PID 4048 set thread context of 3860	4048	omsecor.exe	110
PID 4928 set thread context of 4696	4928	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
408	680	WerFault.exe	82
752	1368	WerFault.exe	85
2076	4048	WerFault.exe	109
4308	4928	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 1732	680	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	83
PID 680 wrote to memory of 1732	680	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	83
PID 680 wrote to memory of 1732	680	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	83
PID 680 wrote to memory of 1732	680	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	83
PID 680 wrote to memory of 1732	680	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	83
PID 1732 wrote to memory of 1368	1732	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	85
PID 1732 wrote to memory of 1368	1732	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	85
PID 1732 wrote to memory of 1368	1732	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	85
PID 1368 wrote to memory of 3656	1368	omsecor.exe	88
PID 1368 wrote to memory of 3656	1368	omsecor.exe	88
PID 1368 wrote to memory of 3656	1368	omsecor.exe	88
PID 1368 wrote to memory of 3656	1368	omsecor.exe	88
PID 1368 wrote to memory of 3656	1368	omsecor.exe	88
PID 3656 wrote to memory of 4048	3656	omsecor.exe	109
PID 3656 wrote to memory of 4048	3656	omsecor.exe	109
PID 3656 wrote to memory of 4048	3656	omsecor.exe	109
PID 4048 wrote to memory of 3860	4048	omsecor.exe	110
PID 4048 wrote to memory of 3860	4048	omsecor.exe	110
PID 4048 wrote to memory of 3860	4048	omsecor.exe	110
PID 4048 wrote to memory of 3860	4048	omsecor.exe	110
PID 4048 wrote to memory of 3860	4048	omsecor.exe	110
PID 3860 wrote to memory of 4928	3860	omsecor.exe	112
PID 3860 wrote to memory of 4928	3860	omsecor.exe	112
PID 3860 wrote to memory of 4928	3860	omsecor.exe	112
PID 4928 wrote to memory of 4696	4928	omsecor.exe	114
PID 4928 wrote to memory of 4696	4928	omsecor.exe	114
PID 4928 wrote to memory of 4696	4928	omsecor.exe	114
PID 4928 wrote to memory of 4696	4928	omsecor.exe	114
PID 4928 wrote to memory of 4696	4928	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
"C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
  C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3656
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4048
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 268
        8⤵
        Program crash
        
        PID:4308
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 292
        6⤵
        Program crash
        
        PID:2076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 304
      4⤵
      Program crash
      PID:752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 300
  2⤵
  - Program crash
  PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 680 -ip 680
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1368 -ip 1368
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4048 -ip 4048
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4928 -ip 4928
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c6e026b070a156c5c24b3e36f5b18bde

SHA1
35b9541baa7491ce81a52b840f460bc7558e9825

SHA256
509293ae578ab38e9ec0913a7980eaa576ae5b39d4ad4646e8b4d264fae69fa3

SHA512
f8ddcab079e577ad723f8dd982babca68b2448976c480575a4dde92071f414773528df6db6aea4d609ca73325a95150519ef0beaf620b29e1e8e3f9c99cbe0fd

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
18a46c1601e70d270cec3c27305f07dd

SHA1
1a84bc2f363cd80ce4665dd5f602248bd3c54f14

SHA256
5b139876d77abed497e0763a981afa6a209fb37df83e01093dd1dac7594d2a16

SHA512
e68d629a913b74d2b01a793dec0410b8d9fd73c80f5cc4de34d665d0be7c95309a84b9d84ec71b2ddd7db33b6a485574d67c95fe32fb2e9703aff6c9a211f3a2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
fb74b6a66550b39a936e49ca18948e89

SHA1
797783e9937147f3f2ec9e12242080bdb6424fe3

SHA256
ebe4dfab5df1dadda647be384ef999f0dffdf7d2b66221e57af88defb9510555

SHA512
303e1d841f0381488d7bb3a735a547c9e2e6573700b42adb57318f1321b9b9b1ca339841d5b85c261ee89cbd97bb3cfb1a5484bb5efb3975eaa29c36675244b8

Download Submit
memory/680-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/680-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1368-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1732-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1732-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3860-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3860-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3860-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4048-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4696-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4696-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4696-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4928-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4928-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download