neconyd | 68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399

General

Target

68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe
Size

92KB
MD5

587b6d81e23b25972132a72f2bb24d17
SHA1

dfff9825cbe8dcdfd2792990b7ad0cd9922a5b5f
SHA256

68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399
SHA512

11023f3a3e2c771d18a0f40313e230b035004a3df2691838fb47b2b31f7f5d01b23cae68b60d21e87c261f4ad4f5d4d7eb61c7bef5eed8e48199af922619e223
SSDEEP

1536:5d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:ZdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2092	omsecor.exe
1328	omsecor.exe
1520	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2068	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe
2068	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe
2092	omsecor.exe
2092	omsecor.exe
1328	omsecor.exe
1328	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2092	2068	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe	30
PID 2068 wrote to memory of 2092	2068	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe	30
PID 2068 wrote to memory of 2092	2068	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe	30
PID 2068 wrote to memory of 2092	2068	68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe	30
PID 2092 wrote to memory of 1328	2092	omsecor.exe	33
PID 2092 wrote to memory of 1328	2092	omsecor.exe	33
PID 2092 wrote to memory of 1328	2092	omsecor.exe	33
PID 2092 wrote to memory of 1328	2092	omsecor.exe	33
PID 1328 wrote to memory of 1520	1328	omsecor.exe	34
PID 1328 wrote to memory of 1520	1328	omsecor.exe	34
PID 1328 wrote to memory of 1520	1328	omsecor.exe	34
PID 1328 wrote to memory of 1520	1328	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe
"C:\Users\Admin\AppData\Local\Temp\68071d20870b8833e1220a00f5486a421642ecff7f29951cf1fe7eb646441399.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
d75fa29c872c683fe0e2fa4963dc1754

SHA1
c6c5d9bc6e58604a488d3c35b449593cb41e0c7c

SHA256
7af5941911e04475e969b4dce5c0dfd8c00e261294614c084e58e0ff71c50950

SHA512
fb5d1780fc957c36b8731a79ad668447d89f4d22c50007abc7c1f3b1e308dc90104692da36dce1b9eea120288c9f7543f5824050a935ea2a649fad667b7811e2

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
4cfc3d4c6d674711fd5ec72929d0906b

SHA1
29e03538de342a49ed377cc52143a488da386f44

SHA256
4752ea0272bc23e4141417e5d4dbab1f5611e608c9a1e0aa71331dfb5736322f

SHA512
5443375e6d705f07b2aea9cb7e3452261c6beb9a6e66b679d6d24f5d076d51ff90060a1b461628c4b614a85fe498afdeafce3d3f81a85478b528edc5391a6245

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
6433b71b1c915fd003c4feeaf4dd3c37

SHA1
c3f30a7ed97f2e9f9df3536aed003229a39467bf

SHA256
7f52c702e0059abad8af41472000a260ffdc204b22c219a7a36cddde147ed6c1

SHA512
0290093df044298927110548104817e83115590465524f5075eabb68b7bf073c5e39da79c2e426fc5f792a2212d969f45923928894c7cc7fccdc88514a6760d7

Download Submit
memory/1328-33-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/1328-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1520-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1520-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2068-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2092-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2092-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2092-16-0x0000000001FA0000-0x0000000001FCB000-memory.dmp

Filesize
172KB

Download
memory/2092-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing