neconyd | 552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0a

General

Target

552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe
Size

90KB
MD5

3a82eb515db227739dce0ce1e37109f0
SHA1

a703d691e09ed5061f614582ada2ccac721fc937
SHA256

552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0a
SHA512

18226b297c1370fb4f7ef007509d844c6ca5b0067bed12470e605f0a17238fd93130c3bb90c7096a685c6ed4d7154c0e99b0b33aa79d0b0265b6fc7f615820fa
SSDEEP

768:XMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAe:XbIvYvZEyFKF6N4aS5AQmZTl/52

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2788	omsecor.exe
2516	omsecor.exe
2872	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2932	552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe
2932	552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe
2788	omsecor.exe
2788	omsecor.exe
2516	omsecor.exe
2516	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2788	2932	552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe	30
PID 2932 wrote to memory of 2788	2932	552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe	30
PID 2932 wrote to memory of 2788	2932	552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe	30
PID 2932 wrote to memory of 2788	2932	552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe	30
PID 2788 wrote to memory of 2516	2788	omsecor.exe	33
PID 2788 wrote to memory of 2516	2788	omsecor.exe	33
PID 2788 wrote to memory of 2516	2788	omsecor.exe	33
PID 2788 wrote to memory of 2516	2788	omsecor.exe	33
PID 2516 wrote to memory of 2872	2516	omsecor.exe	34
PID 2516 wrote to memory of 2872	2516	omsecor.exe	34
PID 2516 wrote to memory of 2872	2516	omsecor.exe	34
PID 2516 wrote to memory of 2872	2516	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe
"C:\Users\Admin\AppData\Local\Temp\552cce1d9536b61d5d9adaedabecdc553e4474109b27ef3d7d9537d80c0f3a0aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
64def8a985fab3f65262a02f2942f349

SHA1
d63f4cbd490c99c3812c477c0dc1136639f08691

SHA256
c6e7b9b8f82d2a14c8e5199ef979eb23639c049ff702ca0ffff669f253c24acd

SHA512
c60572f3817e2e7a2674b0a0eb422fda0fde4b5142e3c2614dbae7a2bd5e1819b160dc6aac98e72bddce75d5b5e7559ee35dff2d70c3eee110f9c4751526eb67

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
16db2cd6be1c17006cfc28467797a692

SHA1
95dd14e0996353d5037a65bde638ea00641a2d9f

SHA256
aa4130aa2fa73684130e7bee98d2d1a05529cca94ed3463632173044c9e1c476

SHA512
a9134488bfc7a35dc1bbdd894ac53ff63ca258ead6d004ddb9bf6977e6eed71538cc9439e2230390d5bc7add9b6aaf8cbca735cd53df1c9663d83971dc79a861

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
544ec9eb9839454f9f76e928d2e613d7

SHA1
351b07288439b45e1b7aa7ad7d4ad284708f4d88

SHA256
e4ca7c56d7674da03e89c95ceef3890288343661b039632e3274821705205119

SHA512
81b050c26e8a2c5018992162448c3c6fec027686bb8f13bc309103d697466f531fff000edc221a89aad7d26752e0a23213cf0b873baeb16dc8420fc23d47e323

Download Submit
memory/2516-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2788-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2788-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2788-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2788-20-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/2872-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2872-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2932-8-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2932-14-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2932-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2932-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2932-10-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing