neconyd | 0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825

General

Target

0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe
Size

76KB
MD5

78186ad83fb7ef5210e41709abef2740
SHA1

f2acb5485855725b289b5f8d8b42ef2ba03d7598
SHA256

0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825
SHA512

e1b3a2e16ceaf7ade9ee4e0dc2f1172b0e828b069cd9d5ce365bcb37f165d40b37f68c9e0248cd7f46d9f1f6319a895ff95e902cef290e3607c397492825d9e8
SSDEEP

1536:Ed9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:8dseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2532	omsecor.exe
1696	omsecor.exe
2860	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2072	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe
2072	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe
2532	omsecor.exe
2532	omsecor.exe
1696	omsecor.exe
1696	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2532	2072	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe	30
PID 2072 wrote to memory of 2532	2072	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe	30
PID 2072 wrote to memory of 2532	2072	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe	30
PID 2072 wrote to memory of 2532	2072	0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe	30
PID 2532 wrote to memory of 1696	2532	omsecor.exe	33
PID 2532 wrote to memory of 1696	2532	omsecor.exe	33
PID 2532 wrote to memory of 1696	2532	omsecor.exe	33
PID 2532 wrote to memory of 1696	2532	omsecor.exe	33
PID 1696 wrote to memory of 2860	1696	omsecor.exe	34
PID 1696 wrote to memory of 2860	1696	omsecor.exe	34
PID 1696 wrote to memory of 2860	1696	omsecor.exe	34
PID 1696 wrote to memory of 2860	1696	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe
"C:\Users\Admin\AppData\Local\Temp\0d353c8ab098cf0b6f822d38b9bd0373b47a7e4066ac6d4a327935ec78c32825N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
885862ad1f732a9ab922878b50930777

SHA1
2abb58cb97c5320ad612491b488b0c0573515087

SHA256
f160eb08a4aa89bb72fc505c03a1ef651a5a46b48378a0855abaa835bb4a733c

SHA512
85b336ee235c80fc25fb57ab3d9fea1b536e7b499e17fada0a34a5062a2fb7ae3ae1f72b15794d4872bc3fde3feebd6ab3e6945085be467d0181335d55658298

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
87dd1dcd2af8d90b066ec0c5b1384131

SHA1
9783458e18423c836e9122d894d4de41baf47c90

SHA256
258d94fe0c45561537d2fd5ae216806f8e079a029ab1271dcc47c650764fc349

SHA512
268c91fb07880b39c7a71e55f0eec79550a84e604561b13e0089f44cadc3d75ecbc45a0e79db2122111a424e10f3f4c3dfddd37f39b780962416316f015ed325

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
6c11759ee526b56e0e0c30f26bfade83

SHA1
cc564df84f0377c33917ec64cbb7025300135248

SHA256
94019f49c19345f526580ad6c335dcffe10e072299939965d87b544a439f51fb

SHA512
51acc444e65853cd51f4aeb265976960e74042e72b43a83fcd5121bc3dfb36fa8563c5d6092dd3a1ca13069a943cf3a3a82c2016a66e33a5fe22497f2831e263

Download Submit
memory/1696-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1696-29-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2072-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2072-8-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2532-17-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2532-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2532-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2532-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing