neconyd | 8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c

General

Target

8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
Size

65KB
MD5

ed316f4bc5b73500ba04a43da4fe8a68
SHA1

43be5deea5f422feb74555055185d40dd5f06b70
SHA256

8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c
SHA512

1544f38cd0fd69bf5af6ccc363cf0eaff45be269f030627e09b5669bae1ba7398339198148a9b693143513823c5300d93faef7c38c4cc64e05df724ffda55813
SSDEEP

1536:ad9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz3:6dseIO+EZEyFjEOFqTiQmRHz3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2124	omsecor.exe
1292	omsecor.exe
992	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2476	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
2476	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
2124	omsecor.exe
2124	omsecor.exe
1292	omsecor.exe
1292	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2124	2476	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	31
PID 2476 wrote to memory of 2124	2476	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	31
PID 2476 wrote to memory of 2124	2476	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	31
PID 2476 wrote to memory of 2124	2476	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	31
PID 2124 wrote to memory of 1292	2124	omsecor.exe	34
PID 2124 wrote to memory of 1292	2124	omsecor.exe	34
PID 2124 wrote to memory of 1292	2124	omsecor.exe	34
PID 2124 wrote to memory of 1292	2124	omsecor.exe	34
PID 1292 wrote to memory of 992	1292	omsecor.exe	35
PID 1292 wrote to memory of 992	1292	omsecor.exe	35
PID 1292 wrote to memory of 992	1292	omsecor.exe	35
PID 1292 wrote to memory of 992	1292	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
"C:\Users\Admin\AppData\Local\Temp\8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
e278d561d6d8b64718a4218dd4760daa

SHA1
3dce6561c9d43b36041001e41b4bac10916bec57

SHA256
53a225331587aadd94af645eb2f658883bfce360033cf85b794866acb2c2f51c

SHA512
c55536bc90523bfa12db52322e152f9dd536f6eaa4f02cd799e7404f72fc10deadbcda220d8625e5494411a2f7003d97a5bb0f3bec081a75cbc58a94134f4543

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
7d3d7de3e2fa5cf93badcae0c31b55c7

SHA1
e78feff035fc2b6579ca56839aa1b1abff624b24

SHA256
9d07b8705d8b7779454f28657a1680e64aae24ed072bd78ebeae4d3da83a6e20

SHA512
ec0294fc2ab091f09e1c56b399dcea68305fbede06cc50aa8e0327ab06b6be1e805539e579ff90c2841a0d69e050ff62c30ee79a4d36bdd38cc0f58fe5d917e3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
fa78f146e261b6cf88b334db1a93afb5

SHA1
3a0193938c4c4b2a45c1d6de7ac2895b599e2004

SHA256
eb2a5b647cbdc06ecd9c5213e0245eb86b3f427f07a84eafad3fc475382a2594

SHA512
1b2899874855ada60f3a6c1e99beb94768c20b82a1847463ac7b60b78e8120d3f87627c77832ea2f03d85d8fbec5ef796dc45dd1aadb51ac674393dd4412218e

Download Submit
memory/992-42-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1292-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1292-33-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1292-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1292-41-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2124-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2124-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2124-25-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2124-24-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2124-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-8-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/2476-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-9-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing