neconyd | 05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad

General

Target

05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe
Size

90KB
MD5

94f0b5f071cde41b968bf173a51af7a7
SHA1

79edaa39598d56e11d6fd943789773cc8341e1ae
SHA256

05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad
SHA512

545c67836bccd67604d29d1fc5b5d3e87faba048962aafdee6640b8c233bdae471c25adc678c6bc79abc122fe05266f5f65dd9542335f748a93a9027d9c015c4
SSDEEP

768:RMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:RbIvYvZEyFKF6N4aS5AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3056	omsecor.exe
2796	omsecor.exe
2616	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3044	05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe
3044	05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe
3056	omsecor.exe
3056	omsecor.exe
2796	omsecor.exe
2796	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3056	3044	05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe	30
PID 3044 wrote to memory of 3056	3044	05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe	30
PID 3044 wrote to memory of 3056	3044	05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe	30
PID 3044 wrote to memory of 3056	3044	05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe	30
PID 3056 wrote to memory of 2796	3056	omsecor.exe	33
PID 3056 wrote to memory of 2796	3056	omsecor.exe	33
PID 3056 wrote to memory of 2796	3056	omsecor.exe	33
PID 3056 wrote to memory of 2796	3056	omsecor.exe	33
PID 2796 wrote to memory of 2616	2796	omsecor.exe	34
PID 2796 wrote to memory of 2616	2796	omsecor.exe	34
PID 2796 wrote to memory of 2616	2796	omsecor.exe	34
PID 2796 wrote to memory of 2616	2796	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe
"C:\Users\Admin\AppData\Local\Temp\05dca2e1a99a11bfa91ca073a7303af512fadea16050bf3fb126e015185ec7ad.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
67810d969e7cad0965c6a1c240b8722c

SHA1
53e3a0e60c37b55cef1e5f804acb54552605e129

SHA256
c7e1c3f2587694e97b7fd02ca5b8a3fd601895b86e8dffe5221a0cf2f9c2d5bb

SHA512
9f6133a9c51d46d343013e6bacb5e98c309db5fbf6677f5e56d8c7926c34dae9020cd04aef3a4c62fa240ebee0d3a39d4ae8110b27845b5ea9a626a92bc842aa

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
596b1a1754c83d5d032a95bc7eb5d927

SHA1
0cbd9a1af98fa6544b827218d4c29a2bb450bb5e

SHA256
605d101381069d2e4114ee901afeae8e96657504fa65ec58b759296f4637da7c

SHA512
cc3ddb2725677d6c99718dca609c7f444417d07382a5da53c7ce51a8155868bcecb7d156fb97da8ac575a070b45c4f30399b2dd02e23702cd7c92fc4d8e14d32

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
296bd6f1430d26220d5860e8993f675c

SHA1
39092c2e81ab731e6b2f19773b93be870b641bc9

SHA256
085e4bec69a738c44053490e9fedf3d4802801fc2cfd120722ec74a1c383f67f

SHA512
b96481d58f68ba42ad873cce317331f200c5c1831d0114bbc94fa18a9e9ea37991cca3612dc3267cef7a4e82bcb36b5d22a2026e8368933c0cdd9c73543a7d60

Download Submit
memory/2616-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2796-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2796-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2796-31-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/3044-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3044-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-22-0x0000000000480000-0x00000000004AB000-memory.dmp

Filesize
172KB

Download
memory/3056-23-0x0000000000480000-0x00000000004AB000-memory.dmp

Filesize
172KB

Download
memory/3056-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing