neconyd | f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601

General

Target

f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe
Size

76KB
MD5

8f2aa25aad326a413b41937ff400fda2
SHA1

6dbe919017ba75ec80ece116791f984cf6775c60
SHA256

f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601
SHA512

16c21011cd972720d49c4b8b7cc75f7ff77f323d80deb48a2ee567785784e8a160111142743865977740627c89575e7d0b9d4651dfd7e9b7a169dad75bc570ee
SSDEEP

1536:3d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11T:/dseIOMEZEyFjEOFqaiQm5l/5w11T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2308	omsecor.exe
2284	omsecor.exe
2980	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2240	f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe
2240	f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe
2308	omsecor.exe
2308	omsecor.exe
2284	omsecor.exe
2284	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2308	2240	f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe	30
PID 2240 wrote to memory of 2308	2240	f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe	30
PID 2240 wrote to memory of 2308	2240	f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe	30
PID 2240 wrote to memory of 2308	2240	f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe	30
PID 2308 wrote to memory of 2284	2308	omsecor.exe	33
PID 2308 wrote to memory of 2284	2308	omsecor.exe	33
PID 2308 wrote to memory of 2284	2308	omsecor.exe	33
PID 2308 wrote to memory of 2284	2308	omsecor.exe	33
PID 2284 wrote to memory of 2980	2284	omsecor.exe	34
PID 2284 wrote to memory of 2980	2284	omsecor.exe	34
PID 2284 wrote to memory of 2980	2284	omsecor.exe	34
PID 2284 wrote to memory of 2980	2284	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe
"C:\Users\Admin\AppData\Local\Temp\f16a64d890ba2a1693e82f61a59641f95e04751ce47b4e364b02b06e10616601.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
eaa4361347a07df5f2fb7813d054700b

SHA1
e6c16242aa83076ccd720d1eae6d741afd477f50

SHA256
29586849d09d3052c56895b28a5abd812b49e73880f37b0203d9ae1373f7dc2d

SHA512
4a8c25330f5b5fa1135cd0f2cf21f3761f274523d9555a199075984ea8a4d12d5052d5812468a49e9b540d8062aa14be87e76bdb4202ba82515a4c240d84117a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
8ce1b2e9f533378be388f107b6fa9fcc

SHA1
8ecd7b55b3dc229cb83101765ef4c94c8570f41d

SHA256
f09bdfca65aa301b32274f82b5f26c77d89d11d5423a8d44b33599a30a0ac90b

SHA512
1ca388ea50a1e4e4b4799086a0f26e10100b9d8b0ed900473f47616a69d6942c4ed28a2c1455e871f3489fcea78366e24338448d012f7aa422aba1ae709fe6e0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
8fd92c7456b2a5266d7af444e1e2c736

SHA1
61ca77c0aee47491c5a1ef0c879bbd656ccb0046

SHA256
ca8db6b57f860fe7050ea403118e113751578b91567c7bab17a4bc1e71fe4310

SHA512
0e41091dee4ed65a2d5c217e431579be82e0eb8ef45e70439332238bbb97fd85a6f7de66f188c8f1a394478c770b46c995c60b5316d0cff799190262cb8bdcaa

Download Submit
memory/2240-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2240-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2240-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2240-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-32-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2284-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-40-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2308-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2308-20-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/2308-25-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/2308-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2308-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2980-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing