neconyd | 8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c

General

Target

8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
Size

65KB
MD5

ed316f4bc5b73500ba04a43da4fe8a68
SHA1

43be5deea5f422feb74555055185d40dd5f06b70
SHA256

8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c
SHA512

1544f38cd0fd69bf5af6ccc363cf0eaff45be269f030627e09b5669bae1ba7398339198148a9b693143513823c5300d93faef7c38c4cc64e05df724ffda55813
SSDEEP

1536:ad9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz3:6dseIO+EZEyFjEOFqTiQmRHz3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1904	omsecor.exe
1560	omsecor.exe
1492	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2124	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
2124	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
1904	omsecor.exe
1904	omsecor.exe
1560	omsecor.exe
1560	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1904	2124	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	30
PID 2124 wrote to memory of 1904	2124	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	30
PID 2124 wrote to memory of 1904	2124	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	30
PID 2124 wrote to memory of 1904	2124	8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe	30
PID 1904 wrote to memory of 1560	1904	omsecor.exe	33
PID 1904 wrote to memory of 1560	1904	omsecor.exe	33
PID 1904 wrote to memory of 1560	1904	omsecor.exe	33
PID 1904 wrote to memory of 1560	1904	omsecor.exe	33
PID 1560 wrote to memory of 1492	1560	omsecor.exe	34
PID 1560 wrote to memory of 1492	1560	omsecor.exe	34
PID 1560 wrote to memory of 1492	1560	omsecor.exe	34
PID 1560 wrote to memory of 1492	1560	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe
"C:\Users\Admin\AppData\Local\Temp\8d60efdab6c707b2bae933f9d17a453e9bb0070ff19a95dbf7535a8405c9888c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
7d3d7de3e2fa5cf93badcae0c31b55c7

SHA1
e78feff035fc2b6579ca56839aa1b1abff624b24

SHA256
9d07b8705d8b7779454f28657a1680e64aae24ed072bd78ebeae4d3da83a6e20

SHA512
ec0294fc2ab091f09e1c56b399dcea68305fbede06cc50aa8e0327ab06b6be1e805539e579ff90c2841a0d69e050ff62c30ee79a4d36bdd38cc0f58fe5d917e3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
b5c5b26a8a615af69f0e44496499424e

SHA1
b8d6da8382138fc5f8d0ba83a772ea3fd7c1df45

SHA256
08a2ac9b2a3ca968e11692d6879902c4353c2fbc3516f7e5f58fcbbfbb318b5b

SHA512
6c1078c44f1e1d3172466041058f5d889edcfbe429cd3ed913892fc1fd5d03f7ea6478f60fff0cf2a2857272f0ba6db4c914ef2fbb396a9c19a5b4242a5e25aa

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
89f61afc6a0325b446371325819e4fac

SHA1
74c1bd6460ab209a107f4b2b365d92c4327e1a4e

SHA256
496d64db969a353dd7ecefcf59cd0ccc12c31162467a940d3c073d99f7273374

SHA512
9af5536117aeda0d6eba3bab5ec5cf78fca4f046817d4dd4bff74a849bc14a461e3731d77754fb9fbc8711965685ea472c696ffaf1b879b443032014463a4b45

Download Submit
memory/1492-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1492-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1560-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1904-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1904-18-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1904-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1904-24-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2124-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2124-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2124-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2124-10-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing