neconyd | 1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8

General

Target

1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe
Size

90KB
MD5

0ef317c68831507eff1c6ecc1296b788
SHA1

e335614433169909ff1e1b6dccfbbb84f2d65998
SHA256

1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8
SHA512

46d3f2fd614ca32d47a8a6bb93f314791e65fa49ef1bbeae8e927571c0758eb430985b9be102931bdf02da3dbd1c451dcbbb0011317767d8719ddb62efa09db4
SSDEEP

768:8MEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAq:8bIvYvZEyFKF6N4aS5AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3004	omsecor.exe
1624	omsecor.exe
1892	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1480	1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe
1480	1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe
3004	omsecor.exe
3004	omsecor.exe
1624	omsecor.exe
1624	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3004	1480	1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe	30
PID 1480 wrote to memory of 3004	1480	1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe	30
PID 1480 wrote to memory of 3004	1480	1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe	30
PID 1480 wrote to memory of 3004	1480	1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe	30
PID 3004 wrote to memory of 1624	3004	omsecor.exe	33
PID 3004 wrote to memory of 1624	3004	omsecor.exe	33
PID 3004 wrote to memory of 1624	3004	omsecor.exe	33
PID 3004 wrote to memory of 1624	3004	omsecor.exe	33
PID 1624 wrote to memory of 1892	1624	omsecor.exe	34
PID 1624 wrote to memory of 1892	1624	omsecor.exe	34
PID 1624 wrote to memory of 1892	1624	omsecor.exe	34
PID 1624 wrote to memory of 1892	1624	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe
"C:\Users\Admin\AppData\Local\Temp\1f1ce439dcb822100bd991be62fe9a1f73c6209847dc654570d2bba4ee0a49b8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
d9b4589f60f4b47737ee15299423d5aa

SHA1
dd55262bf8f65a08dc86d2b64eec7bb671a216f6

SHA256
3a527acd200ec7d6cce5b14a73cea90314944bf65a87af9e4ee7eeb30dc45e62

SHA512
e23a8910f486a3b3c65e739c7115a4ff841a740c163e911796c8fa173d07f76794ec70c8de0ce1b8eb7fa788a339c51e9ade5da0720607b14e7bbfa9c3b2895b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
22ad2f9ac7b983fd04e30a45ebaeec20

SHA1
79b9742896e30c6f0d618c99a037315869f7dda2

SHA256
3ee479498cf3a6d664ce272b3baabcee1130e17c7bf40cee4130998bfc23ba8b

SHA512
55c5a33c042fbe085ce47dc941ad303f265ef404c160bf793b6cc14c17453579498b8dad0d881654e4292170a853e890e0d1761046e223304a5817b8fff55ee4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
d3149f61b000a53c8dec180580e6863f

SHA1
a07f004f47e69ea09cfebc28ba60754e88d9da86

SHA256
f15975b0f1388d7420694670e6f45113e7ac5e1b04e6e61e634f285c73aca17e

SHA512
ce2025b909f41eafc8a04a19bea07c72bf914a0cb0a887aae62bfc3c1f162d6497fc429f5b0abee4b2460392a2a65bfe4a560ebe259d68ed634a8987dbb5da55

Download Submit
memory/1480-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1480-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1624-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1624-30-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/1624-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1892-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3004-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3004-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3004-23-0x0000000000390000-0x00000000003BB000-memory.dmp

Filesize
172KB

Download
memory/3004-18-0x0000000000390000-0x00000000003BB000-memory.dmp

Filesize
172KB

Download
memory/3004-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing