neconyd | 9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3

General

Target

9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe
Size

76KB
MD5

cc362707bc8eb2642f49f1b03245ec12
SHA1

d078abe613dc23825207e26bfbe80e1eb29c2d3d
SHA256

9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3
SHA512

9eb676790fe2aea972ac84c7fb79af8d2ca2670002ed7dcdb18ff941a9ace609be9dff7b73ddca9fccb1ac88d74b8b41819e0d0586a6c349ce46b7ce8e8a674f
SSDEEP

1536:Ed9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11d:8dseIOKEZEyF6EOFqTiQm5l/5s11d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2324	omsecor.exe
2184	omsecor.exe
2936	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2340	9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe
2340	9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe
2324	omsecor.exe
2324	omsecor.exe
2184	omsecor.exe
2184	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2324	2340	9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe	30
PID 2340 wrote to memory of 2324	2340	9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe	30
PID 2340 wrote to memory of 2324	2340	9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe	30
PID 2340 wrote to memory of 2324	2340	9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe	30
PID 2324 wrote to memory of 2184	2324	omsecor.exe	33
PID 2324 wrote to memory of 2184	2324	omsecor.exe	33
PID 2324 wrote to memory of 2184	2324	omsecor.exe	33
PID 2324 wrote to memory of 2184	2324	omsecor.exe	33
PID 2184 wrote to memory of 2936	2184	omsecor.exe	34
PID 2184 wrote to memory of 2936	2184	omsecor.exe	34
PID 2184 wrote to memory of 2936	2184	omsecor.exe	34
PID 2184 wrote to memory of 2936	2184	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe
"C:\Users\Admin\AppData\Local\Temp\9aacc085f338849f4ba8306fdb67b17b2d077fd315f3baf820d104de9bf0d0a3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
3582cba6e8b6f0aa563dbe5d33110b08

SHA1
fd7906d1afe5e7207877c52562e27145c36d0d5d

SHA256
e0a1e1e4ff754ed10baa78cf4418775e40e6a9c27350397a3af3a9202a49fab4

SHA512
1068a89ec6a090c9c7f4175f3922485aff86ec9c47e7cf3c02d6b876a9bde6d73703853c9f92a34685cbb4ccec6c8e0e1630647ab59f5e59e5858637f8db3571

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
24d7d7d75ea08ac85f8ee73fc27567d3

SHA1
9e1642428c7154f721325473e55183fc3d0732ae

SHA256
4b7de75925ab5b49589b68494be277b73a7030849ccdd7185eaf917691a2f27c

SHA512
d2beaf2f4dd83b40a99ed8a064a7d06185cf01eb32692f6d14b5122a782af45dfe934d031edd924c5025102b1e7a59641a1fb3e0d837e0b46cc2fbbb6f925bde

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
9b2d74bf7cea8ef2807d5b985b6dd0f5

SHA1
d1e40615f62aab622b0c2dc39500023c6bcf763b

SHA256
a650f56a77627bfcf6f767a157a83fa4b1a8d2059e99641cc4f60a285f957eb4

SHA512
ce7a0fb702416bd1b0445404aab949168209350d12cfbbe3c872398e4d2e1547531d66c2e20c503c859b5ad34d70c534eee12e6116ecfc12cef9443108b179f6

Download Submit
memory/2184-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-31-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2184-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2324-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2324-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2324-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2324-23-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/2324-18-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/2340-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2340-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2936-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing