neconyd | 1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e

General

Target

1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe
Size

33KB
MD5

627196b735ef70d0f7596bf838054b3c
SHA1

73fb1276a0b520e5ab3d74aa21282eb112f328bc
SHA256

1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e
SHA512

9866986dc5b4bcaf1cd9104f6fba38a924c4ca30e7f4e8c52c41cc83e129f8a893422099d0d5a7154a0ed0c92333c80a6038772eb58be45585623e1115fdd3b1
SSDEEP

768:jfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:jfVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2056	omsecor.exe
1716	omsecor.exe
1696	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1776	1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe
1776	1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe
2056	omsecor.exe
2056	omsecor.exe
1716	omsecor.exe
1716	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2056	1776	1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe	30
PID 1776 wrote to memory of 2056	1776	1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe	30
PID 1776 wrote to memory of 2056	1776	1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe	30
PID 1776 wrote to memory of 2056	1776	1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe	30
PID 2056 wrote to memory of 1716	2056	omsecor.exe	33
PID 2056 wrote to memory of 1716	2056	omsecor.exe	33
PID 2056 wrote to memory of 1716	2056	omsecor.exe	33
PID 2056 wrote to memory of 1716	2056	omsecor.exe	33
PID 1716 wrote to memory of 1696	1716	omsecor.exe	34
PID 1716 wrote to memory of 1696	1716	omsecor.exe	34
PID 1716 wrote to memory of 1696	1716	omsecor.exe	34
PID 1716 wrote to memory of 1696	1716	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe
"C:\Users\Admin\AppData\Local\Temp\1acf66945809fdffd6e263b70097bb2d56acec2fe38a4eb8d3c672865d4f9f2e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
f2d0bcc575fb02659507b01602c78f16

SHA1
79eb56294387ed2ffb68ca6b1de9ea640e1ce1a5

SHA256
26d0ed04d9bbc7dcaa0912625245ff0a1b3de3301b6146ec4cc2736d2a5af309

SHA512
0c5e386ef75d978d335f7abf313a882195b1262029e87d3dffbd957940822b6aa08ec495cbbe16497492f88f10de96133db4f0913477743e18bf2c3a110dc6ce

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
ec3f006e613035beffc7177fd725ffdb

SHA1
410efe3ce870662694f5abc2be6b00058d961b28

SHA256
ad2842e14a11040de833cf25aa2d7beeac98edb2dabc9000412b03fd1c840ac4

SHA512
5bcf5b877047e512916d836440e21a74f5552c8ca840b9ddd317b6564020ad0eddeedd643b99abbafb4d1f4c93aaa60ffb00b943772ce57894e458a23e16f5c0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
66df2e26d73fbe87e4d26726ef765f8d

SHA1
d63ca1c7f1abee06b06752b332db88224ea78cbe

SHA256
fdd8e7775a4ca22f0690fc9117636b2f9401afbfadd45d8046fb555aa21925f8

SHA512
1f2284fe0923c0ebf60b323b7ca3eb253e78eda17ab3a44849dc808ce54fca9cf7edbfedd009c96b8ed3f0459c8080e7f0f956b8957215ffcf7e3874da5b0112

Download Submit
memory/1696-54-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1696-51-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1716-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1716-48-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1716-42-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1776-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1776-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1776-8-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1776-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-33-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/2056-32-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/2056-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing