neconyd | 0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16d

General

Target

0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
Size

134KB
MD5

cfce42e278831f3cdca01f86bc500a60
SHA1

b42ff30289417a450eba87faf37198fa733878df
SHA256

0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16d
SHA512

0880b8f2e7805e68bfa5c9276f8ce9415f2be878d64abad3c62b1552db2ccd61de493726b50e0d1b2098d814969c168cb0bbaf928609a80aeb0f5aa34a31aac0
SSDEEP

1536:kDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:6iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4064	omsecor.exe
4548	omsecor.exe
536	omsecor.exe
3204	omsecor.exe
3500	omsecor.exe
1880	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3160 set thread context of 2168	3160	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	83
PID 4064 set thread context of 4548	4064	omsecor.exe	88
PID 3500 set thread context of 1880	3500	omsecor.exe	112

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4532	3160	WerFault.exe	82
4324	4064	WerFault.exe	85
4804	536	WerFault.exe	107
3368	3500	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 2168	3160	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	83
PID 3160 wrote to memory of 2168	3160	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	83
PID 3160 wrote to memory of 2168	3160	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	83
PID 3160 wrote to memory of 2168	3160	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	83
PID 3160 wrote to memory of 2168	3160	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	83
PID 2168 wrote to memory of 4064	2168	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	85
PID 2168 wrote to memory of 4064	2168	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	85
PID 2168 wrote to memory of 4064	2168	0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe	85
PID 4064 wrote to memory of 4548	4064	omsecor.exe	88
PID 4064 wrote to memory of 4548	4064	omsecor.exe	88
PID 4064 wrote to memory of 4548	4064	omsecor.exe	88
PID 4064 wrote to memory of 4548	4064	omsecor.exe	88
PID 4064 wrote to memory of 4548	4064	omsecor.exe	88
PID 4548 wrote to memory of 536	4548	omsecor.exe	107
PID 4548 wrote to memory of 536	4548	omsecor.exe	107
PID 4548 wrote to memory of 536	4548	omsecor.exe	107
PID 3204 wrote to memory of 3500	3204	omsecor.exe	110
PID 3204 wrote to memory of 3500	3204	omsecor.exe	110
PID 3204 wrote to memory of 3500	3204	omsecor.exe	110
PID 3500 wrote to memory of 1880	3500	omsecor.exe	112
PID 3500 wrote to memory of 1880	3500	omsecor.exe	112
PID 3500 wrote to memory of 1880	3500	omsecor.exe	112
PID 3500 wrote to memory of 1880	3500	omsecor.exe	112
PID 3500 wrote to memory of 1880	3500	omsecor.exe	112

C:\Users\Admin\AppData\Local\Temp\0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
"C:\Users\Admin\AppData\Local\Temp\0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
  C:\Users\Admin\AppData\Local\Temp\0103c8b2dc025104e9dc15635bed3cd2aae8d1fdf05b66c6f9d29c5997d2a16dN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 256
        8⤵
        Program crash
        
        PID:3368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 292
        6⤵
        Program crash
        
        PID:4804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 300
      4⤵
      Program crash
      PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 288
  2⤵
  - Program crash
  PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 3160
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4064 -ip 4064
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 536 -ip 536
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3500 -ip 3500
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
db344215d41ff0cfd0d592b21dfe4786

SHA1
a3eb374a19d444d4df608661b6d4a3d09698a455

SHA256
509e7b65101b42202d1beaf17239a1488653218c1b266ac4046a66224b729d5c

SHA512
27369d551c6372b326c22b90e59465243092447f3e61cb0b279a93bd64f818304067d8a5feeaf6b88f7579cfed6b2706f48d45df9c405d75a027ae382fff28f7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
fdebb57156c0828d5487ffb9f7c49f46

SHA1
9d5e9223baef5b9dba2e653a1f4bd97ed46b6aeb

SHA256
9e2db712645995dd9573ab0e73be604066782e3ae994b5da9001124abf552522

SHA512
286e045e4cd3db75250e0172ed086dd1e1972a42a0f01bb18bbe0118d99e64235b39fd39b7d358e1ef9e077854af84029d686b5e071f293912d23db2811f7403

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
fcb1ca2de6f6caa6675bc1964da01362

SHA1
8ab9a7bc90d1120433f84ea91d957b6a278981a2

SHA256
0a9e73c0c7ee119c0818c25a9a9a1bc36afac9635baf9979958f62ae1f001377

SHA512
0f4647e58589733a3adf7e9dc846b53e18c29e6d236baf511dc225f5c99139ff7bfee4ca8ee807f8985275f4d8c01d3895402089c01f45b82752e7815fcc9a24

Download Submit
memory/536-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/536-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1880-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3160-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3160-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3204-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3204-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3500-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4064-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4548-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4548-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing