neconyd | b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3

General

Target

b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe
Size

71KB
MD5

9c9f4c915ed4b9b1c5a1b9fbd9ce03d0
SHA1

9b77dd084506bde314014e7219a50e406d2ae947
SHA256

b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3
SHA512

3f383782f0914228a6d4cd630388b92b46f0884780b2ca4c707253cfc24d72e55ff103c2b97257b02b84dde8aa96cda32fac3bc084fccd28675cc0cb4ee17f2c
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:XdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2376	omsecor.exe
2940	omsecor.exe
2864	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1736	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe
1736	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe
2376	omsecor.exe
2376	omsecor.exe
2940	omsecor.exe
2940	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2376	1736	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe	30
PID 1736 wrote to memory of 2376	1736	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe	30
PID 1736 wrote to memory of 2376	1736	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe	30
PID 1736 wrote to memory of 2376	1736	b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe	30
PID 2376 wrote to memory of 2940	2376	omsecor.exe	33
PID 2376 wrote to memory of 2940	2376	omsecor.exe	33
PID 2376 wrote to memory of 2940	2376	omsecor.exe	33
PID 2376 wrote to memory of 2940	2376	omsecor.exe	33
PID 2940 wrote to memory of 2864	2940	omsecor.exe	34
PID 2940 wrote to memory of 2864	2940	omsecor.exe	34
PID 2940 wrote to memory of 2864	2940	omsecor.exe	34
PID 2940 wrote to memory of 2864	2940	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe
"C:\Users\Admin\AppData\Local\Temp\b76610c7ea0a6b84683c1c68fe15ee58fc6987b84c6c9c1354c88f55105ae8c3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
eb9bc978e7d1c4060d2a1e5df0987c19

SHA1
18f4d4c2f5eaadc7e665db717253d8745a6b77b6

SHA256
345be743e6fb4168737d463929811aaeac78d20794be0501c6a3d2380718d1b6

SHA512
3dbbb72e33e4426c622d67fd52220e9630051b01f0ad97d9760ec1efc612f5be42825b42711107882e67b4140300def173f36d7a644e74f6b6f24550fc7bdc82

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
410902e050cbfa3401fc46756721054e

SHA1
3d1e68edb3df66a640a840d35b78dd7ae7e8f78b

SHA256
79057912942dee86ac43b1956809e330424f6995d995ef91537cb8a6ec501ddf

SHA512
78f0a725e448ce2c8b910ea1d4a161899332f11871b37a9d57913febf336c3eb3aaf60e87286697d17675565ea08d6c1d3d785ddebd69d0c065748e9716f6b9c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
d7f7bfe0e5526b58edf890098deb61d9

SHA1
e56097f3dd02a17f0b0979dddea4dda4f8b77f84

SHA256
bef4b311d76948abdeb5a8b2666e7c3586b95f4d89a770fc94c141e583f6b364

SHA512
10d6e025f31ebc499c41d33911f24897a6703dcbbd78d38ba0a1758c8736144476d98ff6f72f603995d0158bece9c75b04eac757255133b5fd404f20286cce0b

Download Submit
memory/1736-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1736-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2376-17-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2376-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2376-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2376-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2864-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2864-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-29-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2940-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing