neconyd | 1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363

General

Target

1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe
Size

96KB
MD5

afc531ae9bac98ab6cdd039d9177f6a0
SHA1

040c9c1e2d5d9887ace0719c10e977a159bc6aa8
SHA256

1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363
SHA512

2f9a3553922f093835cd1848c2237ffe1260f04ebf864d118f0163611b05e272561a5986d96f91bd0ab56b66dba498dae5b109f11e15280c7232b064baf2f2c0
SSDEEP

1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:4Gs8cd8eXlYairZYqMddH13r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4188	omsecor.exe
2872	omsecor.exe
3924	omsecor.exe
312	omsecor.exe
4852	omsecor.exe
3068	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 1832	2304	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	84
PID 4188 set thread context of 2872	4188	omsecor.exe	88
PID 3924 set thread context of 312	3924	omsecor.exe	110
PID 4852 set thread context of 3068	4852	omsecor.exe	114

Program crash 4 IoCs

pid	pid_target	Process	procid_target
932	2304	WerFault.exe	83
3452	4188	WerFault.exe	86
3524	3924	WerFault.exe	109
1668	4852	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1832	2304	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	84
PID 2304 wrote to memory of 1832	2304	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	84
PID 2304 wrote to memory of 1832	2304	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	84
PID 2304 wrote to memory of 1832	2304	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	84
PID 2304 wrote to memory of 1832	2304	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	84
PID 1832 wrote to memory of 4188	1832	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	86
PID 1832 wrote to memory of 4188	1832	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	86
PID 1832 wrote to memory of 4188	1832	1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe	86
PID 4188 wrote to memory of 2872	4188	omsecor.exe	88
PID 4188 wrote to memory of 2872	4188	omsecor.exe	88
PID 4188 wrote to memory of 2872	4188	omsecor.exe	88
PID 4188 wrote to memory of 2872	4188	omsecor.exe	88
PID 4188 wrote to memory of 2872	4188	omsecor.exe	88
PID 2872 wrote to memory of 3924	2872	omsecor.exe	109
PID 2872 wrote to memory of 3924	2872	omsecor.exe	109
PID 2872 wrote to memory of 3924	2872	omsecor.exe	109
PID 3924 wrote to memory of 312	3924	omsecor.exe	110
PID 3924 wrote to memory of 312	3924	omsecor.exe	110
PID 3924 wrote to memory of 312	3924	omsecor.exe	110
PID 3924 wrote to memory of 312	3924	omsecor.exe	110
PID 3924 wrote to memory of 312	3924	omsecor.exe	110
PID 4852 wrote to memory of 3068	4852	omsecor.exe	114
PID 4852 wrote to memory of 3068	4852	omsecor.exe	114
PID 4852 wrote to memory of 3068	4852	omsecor.exe	114
PID 4852 wrote to memory of 3068	4852	omsecor.exe	114
PID 4852 wrote to memory of 3068	4852	omsecor.exe	114

C:\Users\Admin\AppData\Local\Temp\1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe
"C:\Users\Admin\AppData\Local\Temp\1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe
  C:\Users\Admin\AppData\Local\Temp\1847971d87de2ee5eb8f57e45266351d5e569dca6a0ae0f2214aca78c615d363N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:312
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 240
        8⤵
        Program crash
        
        PID:1668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 292
        6⤵
        Program crash
        
        PID:3524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 288
      4⤵
      Program crash
      PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 288
  2⤵
  - Program crash
  PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2304 -ip 2304
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4188 -ip 4188
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3924 -ip 3924
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4852 -ip 4852
1⤵
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4e10f2c554c7dea510331ad9e3ae8e6f

SHA1
1a38d60f230fca7ef6df8e479d8ce23a409977c6

SHA256
af9e1a9357e28df1a8b19773fcfb2a54db4cc3a766f86807767160cdd6b1da23

SHA512
d29d1f3028db7ac42b12f12e48d9d66bfec6fb4bc39dd7bf4d43afce98fe11d5005cb10bec2f83c8bda25e5667439bc96d46ddd011c5b193065cca135ea6f005

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
35fb65e72b1dd1d3916826d22d0cc2d1

SHA1
4ea62b7c9156d8cd2e2f795275d032c251fc0722

SHA256
7aaf3cab95af13791b19b1337c5df4d5f6ed3f8308873c5209a032fde78153fb

SHA512
951136ca29d15c667b4ef1f483faaeadcae5f365f6092a55b9110971b7259dc5c0266233a63ed3223cfd68dc7099cb693e85ee6161fec60a66a34ea2b4b3d30d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
084e6a66f9e7307b5a7c93678e0a0970

SHA1
ee8e9e005f1f7cbb2dd775737c6144467d50bfb3

SHA256
f33b0ce2757e1c5ba2e00f393cdcd895d02a8c01e3d63886f03ec5a5d244acc0

SHA512
8fb9c8b76747a372c4baba71ddc610cf773027d33c751767ef373bc56fc9c4e9db4ca9e9768529417f576c19c237894f503e1e7754b09ef1639eabe799b52ac0

Download Submit
memory/312-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2304-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2304-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2872-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3924-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4188-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4852-40-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing