neconyd | 5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74af

General

Target

5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe
Size

76KB
MD5

a8ad3d8ab73c1595dd51afe2bf59b5a0
SHA1

ba1f9e97cee2323267598beca461902afb3fb1cb
SHA256

5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74af
SHA512

42f932316f2ae2a333182980de31b9961defe4629e3140c307e38ecb1862c32a5a8bf621e0b7e2d5e3c806e85ca17e3c822d43e3c01a8f49bf47b2ae29236d3d
SSDEEP

1536:qd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w113:qdseIOMEZEyFjEOFqaiQm5l/5w113

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1668	omsecor.exe
1920	omsecor.exe
1948	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1728	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe
1728	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe
1668	omsecor.exe
1668	omsecor.exe
1920	omsecor.exe
1920	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1668	1728	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe	32
PID 1728 wrote to memory of 1668	1728	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe	32
PID 1728 wrote to memory of 1668	1728	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe	32
PID 1728 wrote to memory of 1668	1728	5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe	32
PID 1668 wrote to memory of 1920	1668	omsecor.exe	34
PID 1668 wrote to memory of 1920	1668	omsecor.exe	34
PID 1668 wrote to memory of 1920	1668	omsecor.exe	34
PID 1668 wrote to memory of 1920	1668	omsecor.exe	34
PID 1920 wrote to memory of 1948	1920	omsecor.exe	35
PID 1920 wrote to memory of 1948	1920	omsecor.exe	35
PID 1920 wrote to memory of 1948	1920	omsecor.exe	35
PID 1920 wrote to memory of 1948	1920	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe
"C:\Users\Admin\AppData\Local\Temp\5f00bc8c61754ddc2adb4602589278c714f84fc5e6977ff0d0562fc9f81f74afN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
06a52b8d580c2b3c7ecf6394e25fae9e

SHA1
334e8ff5706531dea9841e9a15e148ebd27106c3

SHA256
9af8b606868454a501a3c4ffdd65c747850fd20c4f1a59296681d55a8aa8789a

SHA512
93f9215a59fbe6f6fbf6e4becbd5e6c059a4235a37c8c1bc6babfb5fb5d7955a2fd4cda8d4328ff8401eb9bb7579e7e3a14b1267aca66765a27e9431a22a82c8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
52c51e23006dafef378b88431533edef

SHA1
2d474b659dd0387531b38c3a6d803b416cdba643

SHA256
ece611e862cc3626e17d1aae85e411b52e59c0cab26ec596d6d7ab9021bf50fc

SHA512
796db1dd1e21ed3b6f21f58e5db41d19cd7f17afd3f7a4c1371d7c059cb18497071701916c96478c1d8b5ff8e1d9826f6f97ac9a5b9f490ac42f73804dec549a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
fb08c99114bd3634ed14c4cf842faff7

SHA1
4697e61e7d8d11bd72ccdf7ca09b79d87874b062

SHA256
efdf6d041076010f75bc07834167f21674b3d8cbcc1d843cf4cbb54b72cffeaa

SHA512
9d6f87d10645285fba94b6ce8adf60019daefff68e67f568558e521e285ebb399a0fad010d6a4a6ecc6addea84bbc33d836b14e400554fadee60143fcb9534e1

Download Submit
memory/1668-18-0x0000000001F40000-0x0000000001F6A000-memory.dmp

Filesize
168KB

Download
memory/1668-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1728-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1728-4-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1728-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1920-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1920-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1948-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1948-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing