neconyd | cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
Size

134KB
MD5

8d074aebb35db37fa02fc5d476e7ad59
SHA1

40ed0d486d32072df7027a71088816c22560a3de
SHA256

cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18
SHA512

3ba0c94ed1ffb469c73614867e5c808c68fc3a1b5efdd923a63b0ee02d36545f6bc1b61d43fbed78fa09606639fbbd2dc2570e6996337f20ef0618cabdf7a6e9
SSDEEP

1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCit:hiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2428	omsecor.exe
3052	omsecor.exe
228	omsecor.exe
1976	omsecor.exe
1112	omsecor.exe
3948	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 2496	4556	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	82
PID 2428 set thread context of 3052	2428	omsecor.exe	87
PID 228 set thread context of 1976	228	omsecor.exe	100
PID 1112 set thread context of 3948	1112	omsecor.exe	104

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4196	4556	WerFault.exe	81
4824	2428	WerFault.exe	85
4368	228	WerFault.exe	99
3316	1112	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2496	4556	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	82
PID 4556 wrote to memory of 2496	4556	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	82
PID 4556 wrote to memory of 2496	4556	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	82
PID 4556 wrote to memory of 2496	4556	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	82
PID 4556 wrote to memory of 2496	4556	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	82
PID 2496 wrote to memory of 2428	2496	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	85
PID 2496 wrote to memory of 2428	2496	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	85
PID 2496 wrote to memory of 2428	2496	cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe	85
PID 2428 wrote to memory of 3052	2428	omsecor.exe	87
PID 2428 wrote to memory of 3052	2428	omsecor.exe	87
PID 2428 wrote to memory of 3052	2428	omsecor.exe	87
PID 2428 wrote to memory of 3052	2428	omsecor.exe	87
PID 2428 wrote to memory of 3052	2428	omsecor.exe	87
PID 3052 wrote to memory of 228	3052	omsecor.exe	99
PID 3052 wrote to memory of 228	3052	omsecor.exe	99
PID 3052 wrote to memory of 228	3052	omsecor.exe	99
PID 228 wrote to memory of 1976	228	omsecor.exe	100
PID 228 wrote to memory of 1976	228	omsecor.exe	100
PID 228 wrote to memory of 1976	228	omsecor.exe	100
PID 228 wrote to memory of 1976	228	omsecor.exe	100
PID 228 wrote to memory of 1976	228	omsecor.exe	100
PID 1976 wrote to memory of 1112	1976	omsecor.exe	102
PID 1976 wrote to memory of 1112	1976	omsecor.exe	102
PID 1976 wrote to memory of 1112	1976	omsecor.exe	102
PID 1112 wrote to memory of 3948	1112	omsecor.exe	104
PID 1112 wrote to memory of 3948	1112	omsecor.exe	104
PID 1112 wrote to memory of 3948	1112	omsecor.exe	104
PID 1112 wrote to memory of 3948	1112	omsecor.exe	104
PID 1112 wrote to memory of 3948	1112	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
"C:\Users\Admin\AppData\Local\Temp\cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
  C:\Users\Admin\AppData\Local\Temp\cc085275dc948ac3e09eb20bceaa471518175a0ce7e8122bf97d64bf393c7c18.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:228
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 256
        8⤵
        Program crash
        
        PID:3316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 292
        6⤵
        Program crash
        
        PID:4368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 300
      4⤵
      Program crash
      PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 288
  2⤵
  - Program crash
  PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4556 -ip 4556
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2428 -ip 2428
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 228 -ip 228
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1112 -ip 1112
1⤵
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
bad61ecd86ba89ed176ead5d1b15aac5

SHA1
07da56ef41f76a80c8827ba852ac379a6ef4d096

SHA256
fa465a12befa18a3954319e5e8a22f6a1be69abb7223343de61db74e0ede7beb

SHA512
4fab8a73b0738b518e2ce3d91cc805c309561eb1423077d48bd22eae8e51a118d110b1be3d86000b0cb5eff4d9091f3aa614ac50f11b5b68456b7bb59b6e6dcf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
3fb1a3db2ef295c014dcdec27162c2da

SHA1
4e862937c4fa8b2750c825f1496c18d13f03d053

SHA256
6f8bb46c80870277a570f085c489b2295e0af82e1d8fe11e9dcd75c3811ee049

SHA512
07e6da6b4517856ef5a7b4735d074e9c0f6b293211de76b43f6b027fa5663555b76deeba2019f7327dde4df78c1152ad733b479318cbe3d0ef115c6e4c120468

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
142fe730e530ae0d504ffecc4e3ea5b7

SHA1
b7e069d94c938948a2277210935932ee85ffa0da

SHA256
8e91d1240880c52299fca7b771af5abd5ed3324b551a157603561ceff0b3600f

SHA512
6a4f4a2539c60f74fe03382b3beb120ce2b3fd9c3cbc28d27021b544d1530dd998f873bdfcf5d91563cde2f10f8fabd1d86d83adb342464c9558559c4f648bb9

Download Submit
memory/228-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/228-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1112-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1112-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1976-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2428-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2496-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3948-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4556-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4556-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download