neconyd | 92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6

General

Target

92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
Size

90KB
MD5

4cfcc2372b0d1cec4ca5cd9de9c37d45
SHA1

9296d10dcd3135c5744e32409c2c4b5340d91419
SHA256

92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6
SHA512

e0832dcc6b19a14e90feeb51d5ac78628294c49d75b1dacb1a68d047680d0919b6e90fd66c85e2a2c3b1abc1b233344ca79e9f07f96e30858c1c87fb929fb671
SSDEEP

768:GMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA6:GbIvYvZEyFKF6N4aS5AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2360	omsecor.exe
1188	omsecor.exe
2336	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2588	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
2588	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
2360	omsecor.exe
2360	omsecor.exe
1188	omsecor.exe
1188	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2360	2588	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe	30
PID 2588 wrote to memory of 2360	2588	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe	30
PID 2588 wrote to memory of 2360	2588	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe	30
PID 2588 wrote to memory of 2360	2588	92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe	30
PID 2360 wrote to memory of 1188	2360	omsecor.exe	33
PID 2360 wrote to memory of 1188	2360	omsecor.exe	33
PID 2360 wrote to memory of 1188	2360	omsecor.exe	33
PID 2360 wrote to memory of 1188	2360	omsecor.exe	33
PID 1188 wrote to memory of 2336	1188	omsecor.exe	34
PID 1188 wrote to memory of 2336	1188	omsecor.exe	34
PID 1188 wrote to memory of 2336	1188	omsecor.exe	34
PID 1188 wrote to memory of 2336	1188	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
"C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
8dee2d8cae1e243c9808a04cc886c746

SHA1
c501945a7d593253b68d2e99063bf5d68fda83b9

SHA256
bdc917a2b628176bebdc844a510f84bc568088d971514be7fce9ae29d0f63df9

SHA512
bfd3a84e8fa78b0bf440417a15f0a70a4906b7685c9c0efb13f9304db2df6f3edf26690c83cddd90e45c3448f78bd86ca4dd4349f6747d043a03c6fe348c6df6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
366487e943477f12b53cfe3c40ec6f50

SHA1
c6d8e6ebaa32b4a2a3b59764750b7eb23519f79c

SHA256
ddc406eb47f7e1c4bea965fe624efefcd792b984540f2a1d1b8e0497eb976bfa

SHA512
8b3a3f11fe7b68c5e64f5590ed28a7398b2d4279f1f196a8c05cf159448f48da984fc665021bd49ecf8e8d0cf54eeb3074744b71e3426bb693c2f2bc8363c028

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
53989adf3e77c4866b5ffc4ef8220ac2

SHA1
f3652fefb1494c91342aaf02742ed4f500a7e56f

SHA256
c553fb853e0b6bde8ed6e978314b465e9b17ca660ce1ca3b79a1d1055b9564fc

SHA512
27c081f05a8a88d309301d5d9aa7d2017742062d551773622bbc24196aa02d0047573bc7d6d4ccf2a14e9f3c5b6516423b42d96dff1f6fce120dbe708b023041

Download Submit
memory/1188-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1188-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1188-31-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2336-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-24-0x0000000000300000-0x000000000032B000-memory.dmp

Filesize
172KB

Download
memory/2360-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-39-0x0000000000300000-0x000000000032B000-memory.dmp

Filesize
172KB

Download
memory/2588-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2588-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2588-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing