neconyd | 5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b

General

Target

5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe
Size

90KB
MD5

d8f41fa66b208c85a07f0b0f278289cf
SHA1

4995c9bc25e9b1c6eab7cb69afd46f00a8147f18
SHA256

5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b
SHA512

bb6b950d9a029382e209237483a61ac9f8948fc67e5a9b3014e0da44c21052100a595e08f53e2a665fc1c2c0f4e924a7c9d42147553a0e15f7715af74f365950
SSDEEP

768:RMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:RbIvYvZEyFKF6N4aS5AQmZTl/5i

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2432	omsecor.exe
1080	omsecor.exe
840	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1684	5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe
1684	5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe
2432	omsecor.exe
2432	omsecor.exe
1080	omsecor.exe
1080	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2432	1684	5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe	28
PID 1684 wrote to memory of 2432	1684	5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe	28
PID 1684 wrote to memory of 2432	1684	5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe	28
PID 1684 wrote to memory of 2432	1684	5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe	28
PID 2432 wrote to memory of 1080	2432	omsecor.exe	32
PID 2432 wrote to memory of 1080	2432	omsecor.exe	32
PID 2432 wrote to memory of 1080	2432	omsecor.exe	32
PID 2432 wrote to memory of 1080	2432	omsecor.exe	32
PID 1080 wrote to memory of 840	1080	omsecor.exe	33
PID 1080 wrote to memory of 840	1080	omsecor.exe	33
PID 1080 wrote to memory of 840	1080	omsecor.exe	33
PID 1080 wrote to memory of 840	1080	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe
"C:\Users\Admin\AppData\Local\Temp\5824363188952406e7db4cc219ae680b7e8ba1a7f68f13bfdb18f040804d082b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
54d813eca99ec981a3626dc05dd3d3e2

SHA1
73f199f901a7b38209e90f1caf94000b5c491d0c

SHA256
f733eb23e0102f95d3c30bd32fa587b3c306cae5a7bf2e32c3561c1dee309eea

SHA512
44fb52fb6db353a033c9872ded717a0e7f3fe2ddaa3adbd49ab00f2e6a2bec24b4a5078a0741ef1d3bf729a83c6dd971080c3c9d0e04e53b46bcac19ca59b8f7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
21b97f5fdb943d7250e61262f13ed3b8

SHA1
9a5f888b8cd90a5ae2997bd223b58edb60b3f123

SHA256
578137e2d343cbf0f4b0a4fc0a706c361b7bc166fc88b5d2930bc9dd3026d1f7

SHA512
e027e8dcb0866169bdcdd00739532b699f6aa06bb2d3baabcb6c6f404a7588dc48246c5d5c35dba04c3ffc0bf098f6e97bb2fc24eda758b81a36d482953cf512

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
4a5f07c1ac36d6e98646c8c3ce6c20e3

SHA1
961b13c5ce2dd777fc05673bcf36874fc8d72554

SHA256
26911296f3b498d51d764a283d1c4970050c5a4ec740e8a15850e790965da19b

SHA512
8dde5fa6811d9d540bd201eca11a537914fbe2cdb0ad8dee0daa3299ac3cb4051d96aa86b30e1c6b6ef44facc79a27c7f2d78646f59b003dff11924454eeb1c9

Download Submit
memory/840-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/840-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1080-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1684-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1684-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2432-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2432-23-0x0000000000310000-0x000000000033B000-memory.dmp

Filesize
172KB

Download
memory/2432-22-0x0000000000310000-0x000000000033B000-memory.dmp

Filesize
172KB

Download
memory/2432-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2432-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing