neconyd | 963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74

General

Target

963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe
Size

65KB
MD5

c29f518cfdda70b98868332f5e6595ca
SHA1

7a120d78fadb1317e675e4931e4f5ddbba9da508
SHA256

963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74
SHA512

e0294036a0e8375921e349af80676571bfff47cb22593ee627741a8a175af1a3c2d04370248716b36b1d9f892ac2739486db76c348336329e1c376e6e3c5d718
SSDEEP

1536:ud9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:2dseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1444	omsecor.exe
2852	omsecor.exe
304	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2388	963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe
2388	963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe
1444	omsecor.exe
1444	omsecor.exe
2852	omsecor.exe
2852	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1444	2388	963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe	31
PID 2388 wrote to memory of 1444	2388	963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe	31
PID 2388 wrote to memory of 1444	2388	963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe	31
PID 2388 wrote to memory of 1444	2388	963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe	31
PID 1444 wrote to memory of 2852	1444	omsecor.exe	33
PID 1444 wrote to memory of 2852	1444	omsecor.exe	33
PID 1444 wrote to memory of 2852	1444	omsecor.exe	33
PID 1444 wrote to memory of 2852	1444	omsecor.exe	33
PID 2852 wrote to memory of 304	2852	omsecor.exe	34
PID 2852 wrote to memory of 304	2852	omsecor.exe	34
PID 2852 wrote to memory of 304	2852	omsecor.exe	34
PID 2852 wrote to memory of 304	2852	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe
"C:\Users\Admin\AppData\Local\Temp\963f7765a42f2f317d1bbb10b2d888849d14c804652225cf953647609790fb74.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
465f5669595c1b188e7aeb7262d4efd9

SHA1
84b985422ece5fe58f95043551d07ac7f548d53e

SHA256
fc1a18b757534cee63ea7a96cd07fce74e65bf7c0aef9d4598692c33f966699f

SHA512
62afa3c18b72d4a98d423dbaada908e357a3cfef63f132fb84a5d8d68d4c9ca6c6b7281c5c354d437665035f4f7c678579916cb838df2e798fc2067b987bfd05

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
7adf31250ea4ddaab4171e611d54b796

SHA1
497870ff30af8ac384ff2b2dc1eeffecda173ccf

SHA256
4f3d596e77275e5949dc3e065b20ede2ceb59f8c727a1251bc0c3dcff8979405

SHA512
8b6e65b5dfbde616e88a39eb4cd26a47aa433b7ac6e0406580cfafcad40923186ee799e048d26ba8aa07fe99c7ee294ca600bf0c2bb6a5f636de8e8fb283f10f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
1ae177d5b24af20ef61c579a44a5b17e

SHA1
3dcfcafabd22625a42d9dfae58a90953676b3f20

SHA256
a2d69f67691befe101dacb03255d5ebcf334f214cc50329ec880b93fecd19987

SHA512
7239a2330fad7fffb4f3fe8752418cabf1525a4921253cd9c235497225455e401299813c51826cbd4c9ed6ecd7ed8bc9219a0a8d14a56c159a478710ea4eaf99

Download Submit
memory/304-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/304-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1444-23-0x0000000001F70000-0x0000000001F9A000-memory.dmp

Filesize
168KB

Download
memory/1444-17-0x0000000001F70000-0x0000000001F9A000-memory.dmp

Filesize
168KB

Download
memory/1444-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1444-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1444-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2388-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2388-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2852-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2852-31-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2852-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing