neconyd | dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869

General

Target

dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
Size

96KB
MD5

d9897cde7049a8005bb133bea32a429e
SHA1

25cde604b5366ed493d6d5580e6942b4811f3cb0
SHA256

dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869
SHA512

32a94635060ea29841953312e5aa60276dab355f5433ea2693e27551d83a57924d40f6b7eb2942f0c55788cd279fa8d79f336877aad9baa3e48c5ebfc3f8c408
SSDEEP

1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:DGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

1088 omsecor.exe
1444 omsecor.exe
3196 omsecor.exe
3512 omsecor.exe
3000 omsecor.exe
4360 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
1088	omsecor.exe
1444	omsecor.exe
3196	omsecor.exe
3512	omsecor.exe
3000	omsecor.exe
4360	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4536 set thread context of 1784	4536	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
PID 1088 set thread context of 1444	1088	omsecor.exe	omsecor.exe
PID 3196 set thread context of 3512	3196	omsecor.exe	omsecor.exe
PID 3000 set thread context of 4360	3000	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2692	4536	WerFault.exe	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
664	1088	WerFault.exe	omsecor.exe
4848	3196	WerFault.exe	omsecor.exe
1636	3000	WerFault.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

omsecor.exeomsecor.exeomsecor.exedbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exedbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exeomsecor.exeomsecor.exeomsecor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exedbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4536 wrote to memory of 1784	4536	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
PID 4536 wrote to memory of 1784	4536	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
PID 4536 wrote to memory of 1784	4536	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
PID 4536 wrote to memory of 1784	4536	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
PID 4536 wrote to memory of 1784	4536	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
PID 1784 wrote to memory of 1088	1784	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	omsecor.exe
PID 1784 wrote to memory of 1088	1784	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	omsecor.exe
PID 1784 wrote to memory of 1088	1784	dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe	omsecor.exe
PID 1088 wrote to memory of 1444	1088	omsecor.exe	omsecor.exe
PID 1088 wrote to memory of 1444	1088	omsecor.exe	omsecor.exe
PID 1088 wrote to memory of 1444	1088	omsecor.exe	omsecor.exe
PID 1088 wrote to memory of 1444	1088	omsecor.exe	omsecor.exe
PID 1088 wrote to memory of 1444	1088	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 3196	1444	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 3196	1444	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 3196	1444	omsecor.exe	omsecor.exe
PID 3196 wrote to memory of 3512	3196	omsecor.exe	omsecor.exe
PID 3196 wrote to memory of 3512	3196	omsecor.exe	omsecor.exe
PID 3196 wrote to memory of 3512	3196	omsecor.exe	omsecor.exe
PID 3196 wrote to memory of 3512	3196	omsecor.exe	omsecor.exe
PID 3196 wrote to memory of 3512	3196	omsecor.exe	omsecor.exe
PID 3512 wrote to memory of 3000	3512	omsecor.exe	omsecor.exe
PID 3512 wrote to memory of 3000	3512	omsecor.exe	omsecor.exe
PID 3512 wrote to memory of 3000	3512	omsecor.exe	omsecor.exe
PID 3000 wrote to memory of 4360	3000	omsecor.exe	omsecor.exe
PID 3000 wrote to memory of 4360	3000	omsecor.exe	omsecor.exe
PID 3000 wrote to memory of 4360	3000	omsecor.exe	omsecor.exe
PID 3000 wrote to memory of 4360	3000	omsecor.exe	omsecor.exe
PID 3000 wrote to memory of 4360	3000	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
"C:\Users\Admin\AppData\Local\Temp\dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
  C:\Users\Admin\AppData\Local\Temp\dbbbda7913e0c7b458ce9d2a05a2001dc135da308499ae28bbb883922bbbe869.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 256
        8⤵
        Program crash
        
        PID:1636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 296
        6⤵
        Program crash
        
        PID:4848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 300
      4⤵
      Program crash
      PID:664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 288
  2⤵
  - Program crash
  PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4536 -ip 4536
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1088 -ip 1088
1⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1016,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3196 -ip 3196
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3000 -ip 3000
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ecd5de73bea21836ea5dc19e85edd41c

SHA1
6ff2f7b4b0e8a92f676dd571a45ae040c7ffaf28

SHA256
0ced40e239edcd5fc979f24e91b5eefaf115f730930d361ee62766da8b7115bd

SHA512
37cc171f92a2234bbf2e73fb9013fe10d324f68abc046e0e6e615597881201923fec4707c10915f8cc000eb192bbefbb7d9875c31bdc34be4b4e54d932be8214

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d9228c948ef343c471d0e1261dde5d2f

SHA1
6fab98fea880fa1c29b5220acde9d4e319c41726

SHA256
0ce3ebc852c06d2459749518a3aae171112c93e98ae94ca8282dad2446420243

SHA512
c2ff0c1ca505f30c5f353a25aa315c3a67aa1d341342c91a522dafc3081cf5fc5889a66c25bdfe66c7182ba7486602b3103bfc43ca5fcf9c9b91194525d8f70f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
13b48d5837c95cbbad6c8272b8e48337

SHA1
d95bdf84c220714bb8c823bde00b0780354125d1

SHA256
356cc3ed9df6264527a5a5af011e035ff50d51cda952569313e6c38b09251c41

SHA512
4ad490aa93e2f0a969d2e1a5d1ec1e5172329cad7e1e216869bc90d3895685a5d5f8bed42b7ddf567be3de21866d61296fd3a491b7693b201758aa762ec53a27

Download Submit
memory/1088-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1088-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1444-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1784-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3000-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3196-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3196-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4360-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4360-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4360-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4360-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4536-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4536-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads