neconyd | 0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3

General

Target

0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe
Size

71KB
MD5

14609222ad04fd8fcf5d5c9107ee25e0
SHA1

15f317f2e29c854d53b281f4aa6b2af3e0627352
SHA256

0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3
SHA512

76f754cf0d2ed9f3013a81c8ad8189dca0f13955310c0f9cb1a68c656ddb7fb247914a9d2aa10e989c503c2ae658759830ff28bc8765d15a3853cfd5f1138aae
SSDEEP

1536:Rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:hdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2360	omsecor.exe
648	omsecor.exe
1452	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2140	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe
2140	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe
2360	omsecor.exe
2360	omsecor.exe
648	omsecor.exe
648	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2360	2140	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe	30
PID 2140 wrote to memory of 2360	2140	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe	30
PID 2140 wrote to memory of 2360	2140	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe	30
PID 2140 wrote to memory of 2360	2140	0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe	30
PID 2360 wrote to memory of 648	2360	omsecor.exe	33
PID 2360 wrote to memory of 648	2360	omsecor.exe	33
PID 2360 wrote to memory of 648	2360	omsecor.exe	33
PID 2360 wrote to memory of 648	2360	omsecor.exe	33
PID 648 wrote to memory of 1452	648	omsecor.exe	34
PID 648 wrote to memory of 1452	648	omsecor.exe	34
PID 648 wrote to memory of 1452	648	omsecor.exe	34
PID 648 wrote to memory of 1452	648	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe
"C:\Users\Admin\AppData\Local\Temp\0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
dda13a3546a19d197c533f738d1829fb

SHA1
20c33645a31f97a18aa86b8bd439984a39140053

SHA256
f78f71b44c00b965ee8ed3c4f169d7b76e69835ec6343231fd4a0ebab969686b

SHA512
2f0590082529492fe3e0ce3485cd8bf29bf0143966f3fa16727828181a82958ad03a2b8bb33c6942c6eea79d871aee939d5515585f272397dc12fb7328340935

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
47fbf2ab7ff8c59718d3b122bf78a874

SHA1
e470cf7b9413e728d0e317d6823eb2fc6403fb28

SHA256
9b6b886ef5cf4622151ff50527152311d2f2d8d10300c2915dd9ace8d8379b22

SHA512
a48bed3b84e2386364590cb314b9f1a6db7caf8e73a80e8118cd9154546b0017334309ae72260392e4fac76c31652ef94432cb5df318747130ad3b9a20efb431

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
c933b22c51a84ae7adbea1502e42c0de

SHA1
750fb2b50052ab9637e4f7b67e7e24eb20e1b851

SHA256
e6dc1b076494d0810efb0f538c5c54aebff839806c192f62484119fb82d707a7

SHA512
3c960e7e7f0a9198a3c89002b71f0db9d5b56f97c6c86f4af62dc7b91f2ed37957cf97fd43548e27a90f083249c4db8ab51403f5cc864f5054d358f5cd974afa

Download Submit
memory/648-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/648-30-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/648-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1452-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1452-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2140-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2140-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-17-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/2360-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing