neconyd | 339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247

General

Target

339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe
Size

33KB
MD5

cc78612706f777dd9cbe41e98b11f15b
SHA1

784736d5e0f78f8de86e718d684dd9ff5e64e0cb
SHA256

339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247
SHA512

4ab445cacfa69b92b2a7ecf9ff3007f934aa40649113cdc3dbcc435ac39ebc384c98cbf4c5bdf895e44a12a921e30973dd55d7f35ffda5bb12eb53c24ccbc150
SSDEEP

768:UfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:UfVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2612	omsecor.exe
1752	omsecor.exe
2432	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
548	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe
548	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe
2612	omsecor.exe
2612	omsecor.exe
1752	omsecor.exe
1752	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2612	548	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe	31
PID 548 wrote to memory of 2612	548	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe	31
PID 548 wrote to memory of 2612	548	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe	31
PID 548 wrote to memory of 2612	548	339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe	31
PID 2612 wrote to memory of 1752	2612	omsecor.exe	33
PID 2612 wrote to memory of 1752	2612	omsecor.exe	33
PID 2612 wrote to memory of 1752	2612	omsecor.exe	33
PID 2612 wrote to memory of 1752	2612	omsecor.exe	33
PID 1752 wrote to memory of 2432	1752	omsecor.exe	34
PID 1752 wrote to memory of 2432	1752	omsecor.exe	34
PID 1752 wrote to memory of 2432	1752	omsecor.exe	34
PID 1752 wrote to memory of 2432	1752	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe
"C:\Users\Admin\AppData\Local\Temp\339985d9127606d13f7a837e3f23ec7365f29c6ddb579aeb902cd82b4c21a247.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
ebbf5c33067cb11bf3aa3c339191e626

SHA1
4955facaf7a98cfdb909d553644f16b820414691

SHA256
a7b2ce28b3d47705c29d9bc00e154bd7243935e95d45834b2116082bfca56171

SHA512
0e9663956f6a9b9b85880bbe31413fab8c7aa6647a1f70e2f92745822b52feb1e9bf9234956b64e38ecd78dbca526c3b9fbc0ab68726faf61db71b10033896fa

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
3fd6893b053841e6747cf998154369c5

SHA1
604922f2f469eb40d1ff7a9fdf9fbe63c3d183cf

SHA256
ddea204a98d44ce6cf484e3d07fbb19cca05fb61ab6c0c8cbdf0b7425353753e

SHA512
ad800d8fb28900b8f0a714ebb65716429ba20f983b2677a03e8039e4dae845e2b9656851f3dc81ce7d8fbcc172230d3c86b6b1e6d51d2a2cb1eaa1c89a582727

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
72360a6fad605408c96c80ae0ea82f1c

SHA1
cdc8f8138e7867f516739f2b141ed6acbea34cbf

SHA256
4adbcc564dbed7964a2a2999b4916016098013fc59dcad2b4b4eda370b62fc90

SHA512
ae5f96be33e657cc63325e9b3071d6a3507574346f5379444925913099dc55aa8435e612e275f3cc729c8a4a70bc4348f72834c3b699953c6c22f6285fd4fbea

Download Submit
memory/548-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/548-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/548-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-44-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2432-45-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2432-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2432-51-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2612-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2612-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2612-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2612-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2612-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing