neconyd | c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d

General

Target

c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
Size

92KB
MD5

9f58b27476187faed4e25dddd66aef84
SHA1

62730d93ba19df4f26602188060bc10f2030fe5d
SHA256

c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d
SHA512

46bddaaa1fc0276a0c83136896ee735fe83bc688e8d2033d80eafc5cdff3703cc423e4cfa8913d43195ff8be5c91334f87fc44d5cf4c7bc2fa4171ad25bf309d
SSDEEP

1536:ud9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:2dseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1804	omsecor.exe
2300	omsecor.exe
668	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2436	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
2436	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
1804	omsecor.exe
1804	omsecor.exe
2300	omsecor.exe
2300	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1804	2436	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	31
PID 2436 wrote to memory of 1804	2436	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	31
PID 2436 wrote to memory of 1804	2436	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	31
PID 2436 wrote to memory of 1804	2436	c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe	31
PID 1804 wrote to memory of 2300	1804	omsecor.exe	33
PID 1804 wrote to memory of 2300	1804	omsecor.exe	33
PID 1804 wrote to memory of 2300	1804	omsecor.exe	33
PID 1804 wrote to memory of 2300	1804	omsecor.exe	33
PID 2300 wrote to memory of 668	2300	omsecor.exe	34
PID 2300 wrote to memory of 668	2300	omsecor.exe	34
PID 2300 wrote to memory of 668	2300	omsecor.exe	34
PID 2300 wrote to memory of 668	2300	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe
"C:\Users\Admin\AppData\Local\Temp\c1dd1dc8ece888b20cff81ea645eb9a6bd75896cbf7ed8eb165665a9ff9b7c5d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
304a4aaa1c4b8d1b849dab71b4bfb63b

SHA1
58a00fb5fc172233bc7594a98077de5810c67a70

SHA256
7536ce7ae2d7a24566bea6d4dd66e27739f7298cc159dfa8da70fa1914683315

SHA512
4ab2b1ea7464fcb02bb8427066110b41df5e15b28ecda02995e77437e557d3c4f5c7ff1260cc772b8e8717453a7b03eca5137d1581335221496f3fc2f4feadb7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
2a957fafac340edaac0719d7b748c076

SHA1
274077ab7c22c5852aaf2d9cedfca3f597e273f6

SHA256
5558c99b9f624ce981ec5635af2d7e76a47dbed05faeca2f8de9fb5bfe43b642

SHA512
4d25b8f98f23edad2008d430474fa08611967700f2e0dc5ae3f5b46dac82b41e5c07e05fe4809ada48fced0573a0e7a009e694cf9a149a16d5522d680809458d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
c27e52000ed9f3705a140a614950b6d1

SHA1
a131ecfb3f7f19355689d7048c04bc9270a0bad6

SHA256
71ad20abd30bdd52a6105292961982c4af25a00b2955f185403661708d4b16cd

SHA512
9568edf9a0ec917dc0a5744c5b1d51cfc589866ce002c3875e643a1841be1bb2eaef7b01a1e0b92783ba12844e77405406cf174e9e2f9a241644919d7a26f607

Download Submit
memory/668-41-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/668-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1804-23-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/1804-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1804-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1804-18-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/1804-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-36-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/2300-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2300-40-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/2436-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2436-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing