neconyd | ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db

General

Target

ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe
Size

71KB
MD5

1d57dc0d23988bde925880eb770228eb
SHA1

e0418eaadda3bfaf6df8facf6f3dd60274b968dd
SHA256

ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db
SHA512

7014a031409ecd09326df5099e0078f9b704f552d8f1779612a7752174688d79eb69fa86141d2254fc82856b64c0a2eccb22b774c16ad4f3fa1bd42487a529fd
SSDEEP

1536:Qd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHH:QdseIOMEZEyFjEOFqTiQmQDHIbHH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3024	omsecor.exe
1740	omsecor.exe
304	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2700	ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe
2700	ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe
3024	omsecor.exe
3024	omsecor.exe
1740	omsecor.exe
1740	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3024	2700	ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe	30
PID 2700 wrote to memory of 3024	2700	ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe	30
PID 2700 wrote to memory of 3024	2700	ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe	30
PID 2700 wrote to memory of 3024	2700	ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe	30
PID 3024 wrote to memory of 1740	3024	omsecor.exe	33
PID 3024 wrote to memory of 1740	3024	omsecor.exe	33
PID 3024 wrote to memory of 1740	3024	omsecor.exe	33
PID 3024 wrote to memory of 1740	3024	omsecor.exe	33
PID 1740 wrote to memory of 304	1740	omsecor.exe	34
PID 1740 wrote to memory of 304	1740	omsecor.exe	34
PID 1740 wrote to memory of 304	1740	omsecor.exe	34
PID 1740 wrote to memory of 304	1740	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe
"C:\Users\Admin\AppData\Local\Temp\ba99f40d6d36dcdbc05a9e5d60ca469d836312c438a3281dc18ebcf525aac8db.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
985e33c2ea27ab93a5dd53570023c491

SHA1
22ab5dc11ab538d685480ebdd5e89d74749ccc76

SHA256
4016162210561f46275b2e54249d15b4955d3a5b307f39f588136bcf8c4699ee

SHA512
76523fec06120182824e4565f600ff905559a409c9c0e9cb116a87a41479f54930375896ef946d11e2e19e296b96bdd7931efb31fa4390f41160d1d21194db3e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
431140213de6e147152758c8c7f3d0ad

SHA1
5cc75bfe6ab98f9a38fa153c7d85ea6eb0ab5ae5

SHA256
b05d6186e36ff3de45f97a15734a57545c9335a77724a503705a07788cc13f5f

SHA512
a225657c211bc31f28ec921d8acc17ccd412188e33e9012f03a56ad70804215e6526530b8155327f628ff459a89961fa1be0fc38ad528240dbf1d68f48d69126

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
186ed0c54fe815f43275006f922a3abf

SHA1
7fa110af1c1327f5c16e205f1672a324d7687e86

SHA256
9ebcd57d092d185ff4f344fd204d209b390da5c5237a3f1c3d68394f16c1e307

SHA512
a84d0257a068e0636715f7c2cf27f3af4531309850534b0870eb00c8d69de85037a151cd810e8770d01443bf713f07b2269652b20640bc7b1b5833da4e3f6e53

Download Submit
memory/304-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/304-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1740-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1740-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2700-9-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/2700-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2700-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2700-13-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/3024-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3024-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3024-19-0x0000000000290000-0x00000000002BB000-memory.dmp

Filesize
172KB

Download
memory/3024-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing