neconyd | 632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889

General

Target

632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
Size

90KB
MD5

a1ccfdb5868b1f6aa38509a93378748d
SHA1

6629955bd0a679f6475d29011f33c9a874c74436
SHA256

632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889
SHA512

522f0f7f863a01f0818a21fa1c80f8670f9af18afaf7d0641a37e04288edfe88f03748f84cbe1c7c4bb7541c54278632d3a58be956b15a737f01ea9e8a8fbb5f
SSDEEP

768:xMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:xbIvYvZEyFKF6N4aS5AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2300	omsecor.exe
584	omsecor.exe
2248	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1996	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
1996	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
2300	omsecor.exe
2300	omsecor.exe
584	omsecor.exe
584	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2300	1996	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe	29
PID 1996 wrote to memory of 2300	1996	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe	29
PID 1996 wrote to memory of 2300	1996	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe	29
PID 1996 wrote to memory of 2300	1996	632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe	29
PID 2300 wrote to memory of 584	2300	omsecor.exe	31
PID 2300 wrote to memory of 584	2300	omsecor.exe	31
PID 2300 wrote to memory of 584	2300	omsecor.exe	31
PID 2300 wrote to memory of 584	2300	omsecor.exe	31
PID 584 wrote to memory of 2248	584	omsecor.exe	32
PID 584 wrote to memory of 2248	584	omsecor.exe	32
PID 584 wrote to memory of 2248	584	omsecor.exe	32
PID 584 wrote to memory of 2248	584	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe
"C:\Users\Admin\AppData\Local\Temp\632c1f0f3391c57d6a035e8ac2f3a90c40f662652b52f19cd47cfa13de84b889.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
72542676839b607248b031f559969f1c

SHA1
65025b59dfe57fc09cf8c70afb506060e3bd5569

SHA256
de46d700f7bc3797930f7ba7f3ff2f2dece87ab311fbc36d1cfd0ba6420b4df4

SHA512
c73285f5db11938f9071204122a6f2ec554ca37f548320a90afa1a7e0d461cb652efa7feeb9ef2694186e708b042f673a3b399458347606ff00707d3f8e5e198

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
23524d22330f7686d4804fa940667c52

SHA1
da490ce6c085f0d33d528d97f7f65f8a7af71447

SHA256
cb48003002bb5aafd28c3bfd6c611a89b0afbbec10d5e5b88914a421cdd1d8d2

SHA512
db381c7f60a95f67eebd1ecc6cf8a808764487184fdbfb681c1ee4fb68b2f180953615fde498e1028a84e4e417f75eaf70cbba08efccf41b2da8c9e67fbb5318

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
a367e4e0b508f354fc33fcbd9f787ee7

SHA1
e14cc583ba2c58ef6aa507de9fa9e627b09730ca

SHA256
87a3f2f34755e1d5c3bb0d78575853abe42d4bc143ce48bb364215af34d39795

SHA512
eaeed0fa658c2bd0fd6790f89c135e369215e0b64e2b2529deaaaf884301dffe6dc67b0821f4a28d95054b467c4445f6dff1d2a9e3f4ca0be15f387019d96e35

Download Submit
memory/584-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1996-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1996-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2248-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2248-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-22-0x0000000002250000-0x000000000227B000-memory.dmp

Filesize
172KB

Download
memory/2300-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-23-0x0000000002250000-0x000000000227B000-memory.dmp

Filesize
172KB

Download
memory/2300-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing