neconyd | ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737

General

Target

ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe
Size

90KB
MD5

7febbbf1966e907f2d6a1bf15eae6bde
SHA1

94b861a98d91c5190cfa6c2b2ae03f707fe075a3
SHA256

ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737
SHA512

da866cf120eda097044694800ec09faec6fc248abb3a97dc11d665a6ac3ef75eb3445b8d7928d6dfd79f46923e4c38f2da9288377007210223c27081b71e59ae
SSDEEP

768:NMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAe:NbIvYvZEyFKF6N4aS5AQmZTl/52

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2136	omsecor.exe
3028	omsecor.exe
2736	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2956	ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe
2956	ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe
2136	omsecor.exe
2136	omsecor.exe
3028	omsecor.exe
3028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2136	2956	ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe	30
PID 2956 wrote to memory of 2136	2956	ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe	30
PID 2956 wrote to memory of 2136	2956	ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe	30
PID 2956 wrote to memory of 2136	2956	ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe	30
PID 2136 wrote to memory of 3028	2136	omsecor.exe	33
PID 2136 wrote to memory of 3028	2136	omsecor.exe	33
PID 2136 wrote to memory of 3028	2136	omsecor.exe	33
PID 2136 wrote to memory of 3028	2136	omsecor.exe	33
PID 3028 wrote to memory of 2736	3028	omsecor.exe	34
PID 3028 wrote to memory of 2736	3028	omsecor.exe	34
PID 3028 wrote to memory of 2736	3028	omsecor.exe	34
PID 3028 wrote to memory of 2736	3028	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe
"C:\Users\Admin\AppData\Local\Temp\ccab41d7ee381f80668f53c9dbf43fa136898239c2018e8782629349b2ce5737.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
1d1cc92b1f0251c2c8476fe0f54df325

SHA1
a10dd01c60c05097d464f3db92549a8c1e7936ff

SHA256
63b9c400bd44b31c38a19cdc4e053b20a7e7c3b4b191168f2e37b581c004a927

SHA512
f39746c5441fa46276a70ac454e5bd25724819feec8b9b1112c0e41e3124c8463d64a52c1b2f69305d07990f6ede4293961c2fa22f00b49312280691aa5694b0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
550446fc0330be2c4f09ffbc35b2259a

SHA1
0dbf86ee333603c535270701bea91fe815bcfad9

SHA256
2c284911b857a33bbd72229b8dbeed2bd55c2a10452bc2b30ff5cffca2e095d7

SHA512
c4f704ee1f08a4fe2a22269834f639c441327451e17d641434d9743281fc78011af1f28bf38a7a440d81b3b8a33aa9c7ef0aacaa51979d987bcee94265126f8a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
d68e8bf095754a89fc3eea246483ef56

SHA1
34ed3bd7c2df7f739962fcf0b3167233c34bace8

SHA256
72b192b3bd3970c6d9b97e25857d1f4a7b16ba192e06b57dc06bace4516449ba

SHA512
0eb479fc8950a60de3050193a974e703bb8c5482fa275e968f7c0d278b76698fd034c8faa58c08700bcc8918129902fff03e5f640b49f1c1a5a2be7f03c235e6

Download Submit
memory/2136-22-0x0000000000380000-0x00000000003AB000-memory.dmp

Filesize
172KB

Download
memory/2136-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2136-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2136-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2136-23-0x0000000000380000-0x00000000003AB000-memory.dmp

Filesize
172KB

Download
memory/2736-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3028-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3028-31-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/3028-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3028-39-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing