neconyd | a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73d

General

Target

a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe
Size

90KB
MD5

c8e99543794cb8b16b2c7a8f8c93e5b0
SHA1

7edf14b7178e2da719ea797b1ba39b5d0d5559b3
SHA256

a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73d
SHA512

edac828172fd9f58058ac40f199a6ff200bb785a29231fe25b0ab45eb7bfabe6f9d00fbec82ec97e433ecb1a8a7031099063b7e142f9a1e5e913d5bf75fc9e72
SSDEEP

768:aMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAO:abIvYvZEyFKF6N4aS5AQmZTl/5G

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
344	omsecor.exe
2124	omsecor.exe
2972	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2568	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe
2568	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe
344	omsecor.exe
344	omsecor.exe
2124	omsecor.exe
2124	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 344	2568	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe	30
PID 2568 wrote to memory of 344	2568	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe	30
PID 2568 wrote to memory of 344	2568	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe	30
PID 2568 wrote to memory of 344	2568	a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe	30
PID 344 wrote to memory of 2124	344	omsecor.exe	33
PID 344 wrote to memory of 2124	344	omsecor.exe	33
PID 344 wrote to memory of 2124	344	omsecor.exe	33
PID 344 wrote to memory of 2124	344	omsecor.exe	33
PID 2124 wrote to memory of 2972	2124	omsecor.exe	34
PID 2124 wrote to memory of 2972	2124	omsecor.exe	34
PID 2124 wrote to memory of 2972	2124	omsecor.exe	34
PID 2124 wrote to memory of 2972	2124	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe
"C:\Users\Admin\AppData\Local\Temp\a12d1a55dd0024184c19335b617ec0ac46dfed68a712f3f1076b16d3c11ab73dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
e7d2cd0245f3cf8ec5a74f561a48b9f9

SHA1
abba59d2412f0059506c421640fc5f388f207021

SHA256
5c528d647cd99980d98ab2d5f733971735e029ebf9d9ccc2b3c0aeab20528d12

SHA512
fdef2e55b421f2033e466e8dc81ceba74f094587908351067ba3afce713ea35d978c09397c6f6549c29ca6aea2a78d44525d6ceab430b36ed2dd3828bcc83493

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
e03143aa9d53cab1cb1a8c427f3b84da

SHA1
75d271b70bebe3c7f939851795b69266bcb88a3b

SHA256
35c22f0e9a7c26a694762789d95441f1d146a18876f029b419d25a84ccc1bc88

SHA512
add7f1086e81f13fc53554d3711dff6956b95e2d91835b202d7417a97865de2f2f0025f09e1f38fdf1af4aa55455d42d001e60615327e09b55d644bc0e0a1df2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
4f736f09b211016e616d499f7a3e801c

SHA1
18b7d75701afd0034fa181a29cce7aeb30a23d8a

SHA256
0dfd8987147b285f9c2b6df36e567e47420603de305ecbfe8485423e20b807e0

SHA512
58be43b755a018f6e22b8164a5ec6b391364be2bbafce8fac7393460428fd26b86598634d6e4c8faf16166d37de65225edade1180acf96e73438d1795a168474

Download Submit
memory/344-24-0x0000000001FA0000-0x0000000001FCB000-memory.dmp

Filesize
172KB

Download
memory/344-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/344-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/344-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/344-23-0x0000000001FA0000-0x0000000001FCB000-memory.dmp

Filesize
172KB

Download
memory/2124-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2124-32-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/2124-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2568-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2568-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2568-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2972-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing