neconyd | 936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0

General

Target

936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe
Size

76KB
MD5

4ca384ece866884af75be9817b493e80
SHA1

ec44e7ed30e89185da606e3b25e76d0311cfc511
SHA256

936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0
SHA512

be09410f1a20a77e45ccb1eeba08517ab6869bbe79a51dc7c0c2c3c63b097b372d0fda5ed558fe5b3119d273e21d6210bb4e168dbcbc7a1bdfb18b6d223739ca
SSDEEP

1536:Ed9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:8dseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2508	omsecor.exe
1312	omsecor.exe
2004	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2480	936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe
2480	936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe
2508	omsecor.exe
2508	omsecor.exe
1312	omsecor.exe
1312	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2508	2480	936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe	30
PID 2480 wrote to memory of 2508	2480	936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe	30
PID 2480 wrote to memory of 2508	2480	936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe	30
PID 2480 wrote to memory of 2508	2480	936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe	30
PID 2508 wrote to memory of 1312	2508	omsecor.exe	33
PID 2508 wrote to memory of 1312	2508	omsecor.exe	33
PID 2508 wrote to memory of 1312	2508	omsecor.exe	33
PID 2508 wrote to memory of 1312	2508	omsecor.exe	33
PID 1312 wrote to memory of 2004	1312	omsecor.exe	34
PID 1312 wrote to memory of 2004	1312	omsecor.exe	34
PID 1312 wrote to memory of 2004	1312	omsecor.exe	34
PID 1312 wrote to memory of 2004	1312	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\936dbadef8ec653ecd3da381fa4b4a0c4f2a17c03b88d96d93a3da72a833f9c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
9ce960cd451c14dcd370b58c32fc1b58

SHA1
46de93f65d42f6c069c090e1aee790ea8b1ce24a

SHA256
4230b812e1f39aebd0931411d41eaede236673a3168eb67e522ee9f84a9e1a80

SHA512
7689320081d01e29f5c411005bd7056ecdda1e311953f54fed3b4d55900ef35c2d6aebecc9578d70959a4bd0503b8224377a48a8a383208aa937a6cd0b2f4d46

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
6c0d787f692dfdff4717ddb98fc08c16

SHA1
e7e910414c45c89ef368550822c7b15ccbe2900d

SHA256
1a975745525b2dc2b48d4c8d95a50fa518e6725f90f5d8e791706b20650abaf3

SHA512
abcd7603aadd5c2bd52405c90f3162201a0fee83163a8efa31a077f90e6b8090602ee9d79a71ccb976867a5a850e14a6937bfaa47a230216e395ad3c4d73f6e4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
af637ca3284ebc9ad66e7c69165918a0

SHA1
6ee34b303f66fddee6811110f1e0c9f0e02a1622

SHA256
ddeb1ae587d4fb0255f9e9b5507430422b70923c60f2db269c4b007ae1debee6

SHA512
d0d58985487f338ef5b05a0da12a667d16a3ed72307e47b26f4c3e6bab87ecbcab9010b6c47465d62856258865d847604679153456cb47236fd5cc50045bd695

Download Submit
memory/1312-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2004-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2004-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2480-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2508-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2508-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2508-16-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2508-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing