neconyd | 632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889

General

Target

632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
Size

90KB
MD5

a1ccfdb5868b1f6aa38509a93378748d
SHA1

6629955bd0a679f6475d29011f33c9a874c74436
SHA256

632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889
SHA512

522f0f7f863a01f0818a21fa1c80f8670f9af18afaf7d0641a37e04288edfe88f03748f84cbe1c7c4bb7541c54278632d3a58be956b15a737f01ea9e8a8fbb5f
SSDEEP

768:xMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:xbIvYvZEyFKF6N4aS5AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2344	omsecor.exe
2444	omsecor.exe
2748	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2580	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
2580	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
2344	omsecor.exe
2344	omsecor.exe
2444	omsecor.exe
2444	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2344	2580	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe	29
PID 2580 wrote to memory of 2344	2580	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe	29
PID 2580 wrote to memory of 2344	2580	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe	29
PID 2580 wrote to memory of 2344	2580	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe	29
PID 2344 wrote to memory of 2444	2344	omsecor.exe	31
PID 2344 wrote to memory of 2444	2344	omsecor.exe	31
PID 2344 wrote to memory of 2444	2344	omsecor.exe	31
PID 2344 wrote to memory of 2444	2344	omsecor.exe	31
PID 2444 wrote to memory of 2748	2444	omsecor.exe	32
PID 2444 wrote to memory of 2748	2444	omsecor.exe	32
PID 2444 wrote to memory of 2748	2444	omsecor.exe	32
PID 2444 wrote to memory of 2748	2444	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
"C:\Users\Admin\AppData\Local\Temp\632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
72542676839b607248b031f559969f1c

SHA1
65025b59dfe57fc09cf8c70afb506060e3bd5569

SHA256
de46d700f7bc3797930f7ba7f3ff2f2dece87ab311fbc36d1cfd0ba6420b4df4

SHA512
c73285f5db11938f9071204122a6f2ec554ca37f548320a90afa1a7e0d461cb652efa7feeb9ef2694186e708b042f673a3b399458347606ff00707d3f8e5e198

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
612e204a569e7a859de4c20e7bb58985

SHA1
37a87278399047ce77e24020169a726e68be02e9

SHA256
025b78b07f0f05c20a569286ab2949170534f4032c0c6c162df2fc2cdaacbf3f

SHA512
1d358adf84d689a7b5068368c8723e081345980c75a10f5d1f6a83647c09d57699358ce82416c1cdc2a98e6462567b668d4ed7cc5ca8fe489219c2232171b550

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
a7f57e59775d6dc70ae480295fad9df8

SHA1
898bf98ba0e53721251c1d9e25fee8d032eab073

SHA256
f896c848c3ae855ff66659c13a499380e6f671dd41507757f050483198c18ed6

SHA512
8556a9e788c25bedadb8a5b1b07016fc4778171fda6f48afcc9fcbd489a6e8f930832947db9e1734e2301fc970177e9f91a71202a725994c906fc7cac802e7f1

Download Submit
memory/2344-18-0x0000000000340000-0x000000000036B000-memory.dmp

Filesize
172KB

Download
memory/2344-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2344-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2344-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-30-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2580-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2580-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2748-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2748-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing