neconyd | 4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Size

96KB
MD5

20506b8e84787159e0193acda0990e3e
SHA1

10f672fd1f6a2041184ba0e6494250bb78dd8da9
SHA256

4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e
SHA512

5caac43d66d54db0b9070d4329c6b14a48e63cea467c046f9be26167dcd23c49dbdf0e3e4bb2b85b12120621b087291f728dbce68398c7903a5bb92798f8ee82
SSDEEP

1536:FnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:FGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2316	omsecor.exe
4484	omsecor.exe
1168	omsecor.exe
2364	omsecor.exe
2004	omsecor.exe
404	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 628 set thread context of 2520	628	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	84
PID 2316 set thread context of 4484	2316	omsecor.exe	88
PID 1168 set thread context of 2364	1168	omsecor.exe	110
PID 2004 set thread context of 404	2004	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3980	628	WerFault.exe	83
3528	2316	WerFault.exe	87
952	1168	WerFault.exe	109
1304	2004	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2520	628	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	84
PID 628 wrote to memory of 2520	628	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	84
PID 628 wrote to memory of 2520	628	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	84
PID 628 wrote to memory of 2520	628	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	84
PID 628 wrote to memory of 2520	628	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	84
PID 2520 wrote to memory of 2316	2520	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	87
PID 2520 wrote to memory of 2316	2520	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	87
PID 2520 wrote to memory of 2316	2520	4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe	87
PID 2316 wrote to memory of 4484	2316	omsecor.exe	88
PID 2316 wrote to memory of 4484	2316	omsecor.exe	88
PID 2316 wrote to memory of 4484	2316	omsecor.exe	88
PID 2316 wrote to memory of 4484	2316	omsecor.exe	88
PID 2316 wrote to memory of 4484	2316	omsecor.exe	88
PID 4484 wrote to memory of 1168	4484	omsecor.exe	109
PID 4484 wrote to memory of 1168	4484	omsecor.exe	109
PID 4484 wrote to memory of 1168	4484	omsecor.exe	109
PID 1168 wrote to memory of 2364	1168	omsecor.exe	110
PID 1168 wrote to memory of 2364	1168	omsecor.exe	110
PID 1168 wrote to memory of 2364	1168	omsecor.exe	110
PID 1168 wrote to memory of 2364	1168	omsecor.exe	110
PID 1168 wrote to memory of 2364	1168	omsecor.exe	110
PID 2364 wrote to memory of 2004	2364	omsecor.exe	112
PID 2364 wrote to memory of 2004	2364	omsecor.exe	112
PID 2364 wrote to memory of 2004	2364	omsecor.exe	112
PID 2004 wrote to memory of 404	2004	omsecor.exe	114
PID 2004 wrote to memory of 404	2004	omsecor.exe	114
PID 2004 wrote to memory of 404	2004	omsecor.exe	114
PID 2004 wrote to memory of 404	2004	omsecor.exe	114
PID 2004 wrote to memory of 404	2004	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
"C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
  C:\Users\Admin\AppData\Local\Temp\4e3105834c6da882f47b353583e95aeef477ccb5187b0a65a1f32001062c8a4e.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 240
        8⤵
        Program crash
        
        PID:1304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 292
        6⤵
        Program crash
        
        PID:952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 292
      4⤵
      Program crash
      PID:3528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 292
  2⤵
  - Program crash
  PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 628 -ip 628
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2316 -ip 2316
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1168 -ip 1168
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2004 -ip 2004
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
5cd7ebc2c990abf14f326a87e2e6ec28

SHA1
3035141af65bc2cb31ac25551b9cae7a05f60f07

SHA256
b7f9fc327d0a8031bf2501a75836b10311e40b60a735fe69ad20b1ac372260ea

SHA512
fcca356f8790ec1c934237dcf6860cf23d1be72a3e4a3bc819f56955a5ebe06902a2c7d46de79366d741fdf82c17ec10dd2fab8a34a7c9408d20b63bfddbcb7f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
18a46c1601e70d270cec3c27305f07dd

SHA1
1a84bc2f363cd80ce4665dd5f602248bd3c54f14

SHA256
5b139876d77abed497e0763a981afa6a209fb37df83e01093dd1dac7594d2a16

SHA512
e68d629a913b74d2b01a793dec0410b8d9fd73c80f5cc4de34d665d0be7c95309a84b9d84ec71b2ddd7db33b6a485574d67c95fe32fb2e9703aff6c9a211f3a2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e0e87d73600733567f20033dc1df8ae3

SHA1
6c44907eac5a87e607fcded4ce9ec07ffc6c95ea

SHA256
3207878d553fd52d49d5702ad7b3533e69363664af6c072b218e481fdaab5e4a

SHA512
7a14f2d2eabb121de30439b060b57cf6501ed10232c9db4de4c6c73636730dcd4307d14d6b6809c2e7de75cec6db6af38eb33f2820f03807b82fbfba3559d5b3

Download Submit
memory/404-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/404-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/404-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/404-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/628-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1168-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1168-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2004-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2004-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2316-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download