neconyd | c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Size

96KB
MD5

e3e2a0768e41f6c02ff6bad57caec4f2
SHA1

dc5c7d021301f8eb3b80a9ac0359db3376c5881c
SHA256

c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16
SHA512

1d93d89c672b16844a29ae876414cf13b537370fa93009dcde6f614ca317a023ce6cfb16b0624c3b6f935ef6491f034c62aa388e50ce680594bf1d094a074cd3
SSDEEP

1536:6nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:6Gs8cd8eXlYairZYqMddH13p

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4780	omsecor.exe
2032	omsecor.exe
4588	omsecor.exe
4368	omsecor.exe
4004	omsecor.exe
3676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4408 set thread context of 4920	4408	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	86
PID 4780 set thread context of 2032	4780	omsecor.exe	91
PID 4588 set thread context of 4368	4588	omsecor.exe	112
PID 4004 set thread context of 3676	4004	omsecor.exe	116

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1544	4408	WerFault.exe	85
3420	4780	WerFault.exe	88
1904	4588	WerFault.exe	111
2092	4004	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4920	4408	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	86
PID 4408 wrote to memory of 4920	4408	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	86
PID 4408 wrote to memory of 4920	4408	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	86
PID 4408 wrote to memory of 4920	4408	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	86
PID 4408 wrote to memory of 4920	4408	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	86
PID 4920 wrote to memory of 4780	4920	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	88
PID 4920 wrote to memory of 4780	4920	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	88
PID 4920 wrote to memory of 4780	4920	c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe	88
PID 4780 wrote to memory of 2032	4780	omsecor.exe	91
PID 4780 wrote to memory of 2032	4780	omsecor.exe	91
PID 4780 wrote to memory of 2032	4780	omsecor.exe	91
PID 4780 wrote to memory of 2032	4780	omsecor.exe	91
PID 4780 wrote to memory of 2032	4780	omsecor.exe	91
PID 2032 wrote to memory of 4588	2032	omsecor.exe	111
PID 2032 wrote to memory of 4588	2032	omsecor.exe	111
PID 2032 wrote to memory of 4588	2032	omsecor.exe	111
PID 4588 wrote to memory of 4368	4588	omsecor.exe	112
PID 4588 wrote to memory of 4368	4588	omsecor.exe	112
PID 4588 wrote to memory of 4368	4588	omsecor.exe	112
PID 4588 wrote to memory of 4368	4588	omsecor.exe	112
PID 4588 wrote to memory of 4368	4588	omsecor.exe	112
PID 4368 wrote to memory of 4004	4368	omsecor.exe	114
PID 4368 wrote to memory of 4004	4368	omsecor.exe	114
PID 4368 wrote to memory of 4004	4368	omsecor.exe	114
PID 4004 wrote to memory of 3676	4004	omsecor.exe	116
PID 4004 wrote to memory of 3676	4004	omsecor.exe	116
PID 4004 wrote to memory of 3676	4004	omsecor.exe	116
PID 4004 wrote to memory of 3676	4004	omsecor.exe	116
PID 4004 wrote to memory of 3676	4004	omsecor.exe	116

C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
"C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
  C:\Users\Admin\AppData\Local\Temp\c2f0536c57b40ed0b4d76fd50dd0295d542d90a4b9421eda6a70816fecc4dc16.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 268
        8⤵
        Program crash
        
        PID:2092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 292
        6⤵
        Program crash
        
        PID:1904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 284
      4⤵
      Program crash
      PID:3420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 288
  2⤵
  - Program crash
  PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4408 -ip 4408
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4780 -ip 4780
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4588 -ip 4588
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4004 -ip 4004
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
af7b1211927b9557e2ceaecc0cc7b841

SHA1
48a8e03ffe308361c234a6fca291eb9bbfac615d

SHA256
1cf275e922f3960d596967c7aeb1476ab7a9005b6d16fd1f6904b8d270a0555e

SHA512
9fb1a7006a42fe0985c1a737debc9f16733ef5a290f4ad7c881a11ea0c7fc3d5f965ba6e4d6914a98a7f6305665139b9f95bbea1b56d3aa09ee9c34dc0f9c50d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
480a1e4d9a886327f336edbc48dee8c2

SHA1
bb4c254ed0fcf180ba0769ece81d47c58c10be47

SHA256
4d35b692bde7355551ce1811f6f3113808d2d6a4622501407adf6f4c38a0e960

SHA512
adf16b9c25d725f6f16daf7df1e705515df0ccc54720fdd5e99e4a531d0fa7e8d17cbd1e95a84f8de24b7b4e9df26c9aa014a22e87274ace267152d38d221b15

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d0cb93620f3fc61741f26d23d6d4caff

SHA1
1b712e6d8eb7575e2b76ec97a9636d06050bbf96

SHA256
d71d3b2aa151f7c78d31ee000cd4168090f5359380355024a7914087d67276b3

SHA512
b8f8d046985f552f68c3f0e68352fde0ec890486249132e1cb2912408ee27b3ae7f22b137802c25604c3fb0c3efef9e41bf9b3719121323ab0b7ae4fa22866fc

Download Submit
memory/2032-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2032-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3676-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3676-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3676-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3676-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4004-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4004-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4368-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4368-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4408-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4408-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4588-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4588-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4780-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4920-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download