neconyd | d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810

General

Target

d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
Size

90KB
MD5

d1cbebb87a50f19ebe40d068ab9b2e3a
SHA1

1a40cc5fb7be80577cc1eabd53a48e6d8d64c4ea
SHA256

d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810
SHA512

c10eb92a6879effb6c9502eaafb327857f918cc0b820dc1015a072e55eaf3aaa37a9df13e857bca0145e0621989d586e1b6bd6727c5b16ed5f3630d6fabb439d
SSDEEP

768:EMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:EbIvYvZEyFKF6N4aS5AQmZTl/5i

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1020	omsecor.exe
2148	omsecor.exe
2196	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3016	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
3016	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
1020	omsecor.exe
1020	omsecor.exe
2148	omsecor.exe
2148	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1020	3016	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe	30
PID 3016 wrote to memory of 1020	3016	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe	30
PID 3016 wrote to memory of 1020	3016	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe	30
PID 3016 wrote to memory of 1020	3016	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe	30
PID 1020 wrote to memory of 2148	1020	omsecor.exe	33
PID 1020 wrote to memory of 2148	1020	omsecor.exe	33
PID 1020 wrote to memory of 2148	1020	omsecor.exe	33
PID 1020 wrote to memory of 2148	1020	omsecor.exe	33
PID 2148 wrote to memory of 2196	2148	omsecor.exe	34
PID 2148 wrote to memory of 2196	2148	omsecor.exe	34
PID 2148 wrote to memory of 2196	2148	omsecor.exe	34
PID 2148 wrote to memory of 2196	2148	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
"C:\Users\Admin\AppData\Local\Temp\d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
721838d0dc55b0715421fc9940d76768

SHA1
ff6838e5b2ba34bdcb9ff88231ceb593eabddd22

SHA256
1a3f84f95b4006f44fe8c289ee62a578338644765549ddc10375237a8ad69e67

SHA512
bc6588183d2e728d39e32bcb86821f09a526884db9666cc7b05a9705cbaaa096ba72619579201f8fa4ea7de69bb3c0d399f318ee5c4f6566e417f225afb24c73

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
6ba426446de78e3ed07c8211f028ef8b

SHA1
835beafbc008cac4e94cb03dd9d808d315479d90

SHA256
5a9ffa467ee5aa96a1e70ad7e0daafc66f6fa147202f7f412c48b9e7a32c0084

SHA512
d30f804f290e3f628be0e495acd6fc584d877746538f498432fe5958b33fda1a38465246044879eaae7c699855fbe6a568b416df50dd493f356a198ab1e0d531

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
c7ec0306559a7c7010c3ad0bab1c2423

SHA1
9517a0c6f67a223876a7ed0a46f8373f152e0239

SHA256
e47748b5eae34994ec464db5149c8c2c44417efebe5568f327ef51b957b0ed0d

SHA512
4bcbbb40ea96b2e2958a112a3b64e86d7c37c81f4e12fccf61a2b0fd3aecdd181fb82809c5cd8d7feadffecc55626878c7a2a23cd74a6ea58789997692f28bdb

Download Submit
memory/1020-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1020-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1020-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1020-17-0x0000000000330000-0x000000000035B000-memory.dmp

Filesize
172KB

Download
memory/2148-35-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2148-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2148-30-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2148-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2196-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing