neconyd | 5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5c

General

Target

5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
Size

71KB
MD5

3958deddaef3fe3737c2a7566c3f3800
SHA1

051a7a844e9bf717ee161af71333a78115aac3b8
SHA256

5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5c
SHA512

29c580730edeebabf5b0c49abc058c64b1d2d1fe21f285d0cff4f07c49a43e2efbd0629c89a9a2742f3a16fa1a69cb882605e6e25fbe0f93e6352918d087657f
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:4dseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2768	omsecor.exe
2908	omsecor.exe
848	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2692	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
2692	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
2768	omsecor.exe
2768	omsecor.exe
2908	omsecor.exe
2908	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2768	2692	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe	31
PID 2692 wrote to memory of 2768	2692	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe	31
PID 2692 wrote to memory of 2768	2692	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe	31
PID 2692 wrote to memory of 2768	2692	5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe	31
PID 2768 wrote to memory of 2908	2768	omsecor.exe	33
PID 2768 wrote to memory of 2908	2768	omsecor.exe	33
PID 2768 wrote to memory of 2908	2768	omsecor.exe	33
PID 2768 wrote to memory of 2908	2768	omsecor.exe	33
PID 2908 wrote to memory of 848	2908	omsecor.exe	34
PID 2908 wrote to memory of 848	2908	omsecor.exe	34
PID 2908 wrote to memory of 848	2908	omsecor.exe	34
PID 2908 wrote to memory of 848	2908	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe
"C:\Users\Admin\AppData\Local\Temp\5d0f8ac9da9ca44a4c2a845798c1992cac715cd7e60c28ad6524e20b3aa3cd5cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
14609222ad04fd8fcf5d5c9107ee25e0

SHA1
15f317f2e29c854d53b281f4aa6b2af3e0627352

SHA256
0032ca1e11441f8195063e0575b9e01543be237ce98ad294f69c5a116e129df3

SHA512
76f754cf0d2ed9f3013a81c8ad8189dca0f13955310c0f9cb1a68c656ddb7fb247914a9d2aa10e989c503c2ae658759830ff28bc8765d15a3853cfd5f1138aae

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
939ac864579eefc7a2cd3e91d48f73d9

SHA1
3f914a01faf6328cf8db0e8d4877c3a86761f8c0

SHA256
ba9cd28996246bd4f8e70f1562cd554170e25552028d13d24ba3e1b0c11ea460

SHA512
d76cbd5245bb1347ccf7302a54563f936558cc92c14bbbbf750a5f2648f5922e76e1af06892f98a5217718fbe4a8d44832b49c4beebccd30debfdf81f73e9a74

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
2afbd95c98ad53d0ac5ceda9e71d06e0

SHA1
d741e24b7275fac5cf6e37327a50b21276b399ac

SHA256
cc0454293564869a29d6a514ece5e76e78485278bc70b1bda303d37637d498c3

SHA512
534dfb10e4c5a2586ab85121857acec0deb2404070ecc010ed0caf4fde31aa21bea324ca58208cb1a4fed08a3ca33c463967cd1f1adeaf5a43d44805b1fe5461

Download Submit
memory/848-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-10-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/2768-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2768-17-0x0000000000350000-0x000000000037B000-memory.dmp

Filesize
172KB

Download
memory/2768-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2908-28-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2908-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing