neconyd | c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Size

96KB
MD5

e3e2a0768e41f6c02ff6bad57caec4f2
SHA1

dc5c7d021301f8eb3b80a9ac0359db3376c5881c
SHA256

c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16
SHA512

1d93d89c672b16844a29ae876414cf13b537370fa93009dcde6f614ca317a023ce6cfb16b0624c3b6f935ef6491f034c62aa388e50ce680594bf1d094a074cd3
SSDEEP

1536:6nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:6Gs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1924	omsecor.exe
780	omsecor.exe
4432	omsecor.exe
2040	omsecor.exe
2440	omsecor.exe
4008	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 4848	1208	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	85
PID 1924 set thread context of 780	1924	omsecor.exe	90
PID 4432 set thread context of 2040	4432	omsecor.exe	111
PID 2440 set thread context of 4008	2440	omsecor.exe	115

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4560	1208	WerFault.exe	84
2696	1924	WerFault.exe	87
1948	4432	WerFault.exe	110
1440	2440	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 4848	1208	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	85
PID 1208 wrote to memory of 4848	1208	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	85
PID 1208 wrote to memory of 4848	1208	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	85
PID 1208 wrote to memory of 4848	1208	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	85
PID 1208 wrote to memory of 4848	1208	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	85
PID 4848 wrote to memory of 1924	4848	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	87
PID 4848 wrote to memory of 1924	4848	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	87
PID 4848 wrote to memory of 1924	4848	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	87
PID 1924 wrote to memory of 780	1924	omsecor.exe	90
PID 1924 wrote to memory of 780	1924	omsecor.exe	90
PID 1924 wrote to memory of 780	1924	omsecor.exe	90
PID 1924 wrote to memory of 780	1924	omsecor.exe	90
PID 1924 wrote to memory of 780	1924	omsecor.exe	90
PID 780 wrote to memory of 4432	780	omsecor.exe	110
PID 780 wrote to memory of 4432	780	omsecor.exe	110
PID 780 wrote to memory of 4432	780	omsecor.exe	110
PID 4432 wrote to memory of 2040	4432	omsecor.exe	111
PID 4432 wrote to memory of 2040	4432	omsecor.exe	111
PID 4432 wrote to memory of 2040	4432	omsecor.exe	111
PID 4432 wrote to memory of 2040	4432	omsecor.exe	111
PID 4432 wrote to memory of 2040	4432	omsecor.exe	111
PID 2040 wrote to memory of 2440	2040	omsecor.exe	114
PID 2040 wrote to memory of 2440	2040	omsecor.exe	114
PID 2040 wrote to memory of 2440	2040	omsecor.exe	114
PID 2440 wrote to memory of 4008	2440	omsecor.exe	115
PID 2440 wrote to memory of 4008	2440	omsecor.exe	115
PID 2440 wrote to memory of 4008	2440	omsecor.exe	115
PID 2440 wrote to memory of 4008	2440	omsecor.exe	115
PID 2440 wrote to memory of 4008	2440	omsecor.exe	115

C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
"C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
  C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 256
        8⤵
        Program crash
        
        PID:1440
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 304
        6⤵
        Program crash
        
        PID:1948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 300
      4⤵
      Program crash
      PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 288
  2⤵
  - Program crash
  PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1208 -ip 1208
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1924 -ip 1924
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4432 -ip 4432
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2440 -ip 2440
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
86e1dd3c1c3c85905b3dbd36bcc35803

SHA1
70f62089422b73bf7f5726d19bdda9842286290e

SHA256
b9250b6e6680b26717e91a45075db8293ebb04940660c7ea7debde5daf7bf515

SHA512
9d9fba0454b9be66c6c2c54cf2c472f95e01dd0c913898d918586d3fead032f5b9a46b79c914475b5e452ee59bdac7ebc851c18d51f45bb331ff9c840e58f078

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
480a1e4d9a886327f336edbc48dee8c2

SHA1
bb4c254ed0fcf180ba0769ece81d47c58c10be47

SHA256
4d35b692bde7355551ce1811f6f3113808d2d6a4622501407adf6f4c38a0e960

SHA512
adf16b9c25d725f6f16daf7df1e705515df0ccc54720fdd5e99e4a531d0fa7e8d17cbd1e95a84f8de24b7b4e9df26c9aa014a22e87274ace267152d38d221b15

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d4dbca35a41ff8bf6c3ad9ab80591375

SHA1
b88b1ed0d536aebb3548a6efd9c75795916d3435

SHA256
0c2b9355e665889a70cd435959609548b87ef3d4057ec65898a639dc365d832e

SHA512
c731a3ae033da193f5fb3aa22d4ef944a77ecc6febaca904d48a131ceeab10a481c4af6cbf66e30be68da8decc3ced4d3eddad490148b52274604c65e530d7d1

Download Submit
memory/780-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/780-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/780-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/780-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/780-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/780-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/780-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1208-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1208-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1924-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1924-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2040-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2440-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4008-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4432-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4432-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4848-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download