neconyd | f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f

General

Target

f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe
Size

92KB
MD5

da37ab0901d58393f58440b8fd04e921
SHA1

46a9d071e6560b02abf7b23c4526cb04062bfdcf
SHA256

f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f
SHA512

3120842780a03c756b8a07ab04411916cf926249028954eae7713b38043e4af09cadd3dc493a41c084421f5a8bd869d8b3885a203353fcb9d6f9e3b08e507d96
SSDEEP

1536:Yd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5f:odseIOyEZEyFjEOFqTiQm5l/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2364	omsecor.exe
1596	omsecor.exe
1652	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2280	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe
2280	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe
2364	omsecor.exe
2364	omsecor.exe
1596	omsecor.exe
1596	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2364	2280	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe	30
PID 2280 wrote to memory of 2364	2280	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe	30
PID 2280 wrote to memory of 2364	2280	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe	30
PID 2280 wrote to memory of 2364	2280	f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe	30
PID 2364 wrote to memory of 1596	2364	omsecor.exe	32
PID 2364 wrote to memory of 1596	2364	omsecor.exe	32
PID 2364 wrote to memory of 1596	2364	omsecor.exe	32
PID 2364 wrote to memory of 1596	2364	omsecor.exe	32
PID 1596 wrote to memory of 1652	1596	omsecor.exe	33
PID 1596 wrote to memory of 1652	1596	omsecor.exe	33
PID 1596 wrote to memory of 1652	1596	omsecor.exe	33
PID 1596 wrote to memory of 1652	1596	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe
"C:\Users\Admin\AppData\Local\Temp\f36885d9310e513fcdfccedbe9f9d6a58af785604d5a3dda437d9d15f704847f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
e5f507ae233c9f89b074d98e8b3753b6

SHA1
5b81d05ca63491b269c192876950544ed962d664

SHA256
2694d51fdabedc8262b83c9442fa05cc79b6355cb0f334cc81e24e44064975d7

SHA512
72a06a483d6d1b9c188e1c8a19184ce5c2c94be06afa53d37622ca4bb47f8c3490d7c1ec4573c1e82b85a1bcc62a45d4af83d536a9f8e4af7643f8f32ada4de8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
91e9ca76897a2fa0aa60105d9b50d75d

SHA1
1c4eeb3157c53f621e139f5afcc6fcff23fba556

SHA256
f33218cb8f6888f05b2fc5bc4a767b80cf55fcd66a330b685c8a9506d00c6322

SHA512
67cf079b5cb36a335ae8fd4a5dffcf54cabd4d1b29f1317a92d7a3c8d499d83500ff87877ca7357a9f002ee822f1093e1365b8e0257cfb17d0b6173e9a3d2e30

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
54e08d89bf2b564be08a0897ea3ace1b

SHA1
828542065ce380edeef8c75b60f558f4e26f0b9f

SHA256
580836f88bace00b5ff205a0bae76994fb5c55b33d703604592a51f8bac8729d

SHA512
ed89b804ddd44bb22cabdfe202bb03306024fb9f07bb5e667b47841d0d155f53d4c95990245f9999641835903d919776229d7da1822013a03606a1b242c90c52

Download Submit
memory/1596-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1596-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1596-36-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1652-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1652-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2280-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2280-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2280-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2364-18-0x0000000000440000-0x000000000046B000-memory.dmp

Filesize
172KB

Download
memory/2364-23-0x0000000000440000-0x000000000046B000-memory.dmp

Filesize
172KB

Download
memory/2364-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2364-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing