neconyd | 8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba

General

Target

8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
Size

90KB
MD5

927c632d19cf1a09d6e9d2b053042f28
SHA1

cdbe7a141f9e59ebb085601a0c675fde8322aadc
SHA256

8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba
SHA512

06ae5c1ae5bc5c91b306252a44bd41ced3b366b845d3836cc789b35df00fad0988338d8116cac3b03d8e93eeb9731e1d8fe3a0911d86a7f15979f35c7c930a90
SSDEEP

768:9MEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAK:9bIvYvZEyFKF6N4aS5AQmZTl/5y

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2312	omsecor.exe
2724	omsecor.exe
2672	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1820	8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
1820	8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
2312	omsecor.exe
2312	omsecor.exe
2724	omsecor.exe
2724	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2312	1820	8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe	28
PID 1820 wrote to memory of 2312	1820	8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe	28
PID 1820 wrote to memory of 2312	1820	8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe	28
PID 1820 wrote to memory of 2312	1820	8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe	28
PID 2312 wrote to memory of 2724	2312	omsecor.exe	30
PID 2312 wrote to memory of 2724	2312	omsecor.exe	30
PID 2312 wrote to memory of 2724	2312	omsecor.exe	30
PID 2312 wrote to memory of 2724	2312	omsecor.exe	30
PID 2724 wrote to memory of 2672	2724	omsecor.exe	31
PID 2724 wrote to memory of 2672	2724	omsecor.exe	31
PID 2724 wrote to memory of 2672	2724	omsecor.exe	31
PID 2724 wrote to memory of 2672	2724	omsecor.exe	31

C:\Users\Admin\AppData\Local\Temp\8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe
"C:\Users\Admin\AppData\Local\Temp\8098437110388791f3582d804176f5ee71bbcbe08c686943a7e77c719dfa43ba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
a7c053a1ffd4cf604e65a6857f1ef898

SHA1
3400ca8ea261d9b51e08492fff0add5f0c430870

SHA256
73cdb56cd63bac31a71430f9c68d46f41ec09c1854dfa154d8cb3a5dbc986d07

SHA512
3b6070bfd4cd34163592774a89ea6c2e55b4beaeef58af72480b981de477dc546c14f420fe7d4ace521ccc9df3c5112866e60a08b605862d8d475068305cc72d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
0ae805218214279ffefcc54a90beec63

SHA1
5613e083eebd220d03cffd7c4e5be2bb623b5601

SHA256
02ef41d7724f40560fb692600286cf79385a9cdb91d4893918eb478785687116

SHA512
3e522e3ce232100eacef5bce2d8d07a38a1ee19f19adfbd880ba0589c6bbf5b0e65e9404390f75f7d3d1cbb124209b45108d5dd2ecc7bf02dc1b61657100e951

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
db265fc22a5a6841b1bd556e5f5942a5

SHA1
321e5d5455dac25554b242ab7f6e0264773953ba

SHA256
555971dc1f9318e0483fdf9e68208a3883174ed2499554aa9b5bc60bbf5bb08b

SHA512
7219e229ea1eea571bf5802c9c38bd71d24fef0e398274732eb4dd8643820cdf69bdbb3a3b762e61490acd33d69af8f6a62aad0f7237409c8f60e3fc9f1610fb

Download Submit
memory/1820-4-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/1820-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1820-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2312-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2312-18-0x0000000000360000-0x000000000038B000-memory.dmp

Filesize
172KB

Download
memory/2312-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2312-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2672-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2724-30-0x00000000002A0000-0x00000000002CB000-memory.dmp

Filesize
172KB

Download
memory/2724-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing