neconyd | d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810

General

Target

d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
Size

90KB
MD5

d1cbebb87a50f19ebe40d068ab9b2e3a
SHA1

1a40cc5fb7be80577cc1eabd53a48e6d8d64c4ea
SHA256

d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810
SHA512

c10eb92a6879effb6c9502eaafb327857f918cc0b820dc1015a072e55eaf3aaa37a9df13e857bca0145e0621989d586e1b6bd6727c5b16ed5f3630d6fabb439d
SSDEEP

768:EMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:EbIvYvZEyFKF6N4aS5AQmZTl/5i

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2720	omsecor.exe
2820	omsecor.exe
2012	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2400	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
2400	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
2720	omsecor.exe
2720	omsecor.exe
2820	omsecor.exe
2820	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2720	2400	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe	30
PID 2400 wrote to memory of 2720	2400	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe	30
PID 2400 wrote to memory of 2720	2400	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe	30
PID 2400 wrote to memory of 2720	2400	d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe	30
PID 2720 wrote to memory of 2820	2720	omsecor.exe	33
PID 2720 wrote to memory of 2820	2720	omsecor.exe	33
PID 2720 wrote to memory of 2820	2720	omsecor.exe	33
PID 2720 wrote to memory of 2820	2720	omsecor.exe	33
PID 2820 wrote to memory of 2012	2820	omsecor.exe	34
PID 2820 wrote to memory of 2012	2820	omsecor.exe	34
PID 2820 wrote to memory of 2012	2820	omsecor.exe	34
PID 2820 wrote to memory of 2012	2820	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
"C:\Users\Admin\AppData\Local\Temp\d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
6ba426446de78e3ed07c8211f028ef8b

SHA1
835beafbc008cac4e94cb03dd9d808d315479d90

SHA256
5a9ffa467ee5aa96a1e70ad7e0daafc66f6fa147202f7f412c48b9e7a32c0084

SHA512
d30f804f290e3f628be0e495acd6fc584d877746538f498432fe5958b33fda1a38465246044879eaae7c699855fbe6a568b416df50dd493f356a198ab1e0d531

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
7b6b486a661a303be7697ada5a567ed2

SHA1
484b9fcdf2e7358c3882a69e4f39f5961171008a

SHA256
dc3d40c142eef9a8f49b80e8bbcdc8486ed9b2089a013fd8e7415985add7d09a

SHA512
1bf351ab1692b94b45229ba41ab8303a45ad719034aab3dcff77da72b2ff34193f0a685857edb1dafd994461e5455b4aafd577d1997abfbb3e9553c3f55d9cb2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
62736310e89465b0a57b8b2bc8860c28

SHA1
238e6a649057ae904608917725dbd9016ea1fb8f

SHA256
6df5e03a8578fb06be595585101a7fecd9c9b0d52612735590e94c693cb43bc2

SHA512
8986d5aaf65b9460fb3c124fda838636b9199db9d11ee0834b2121a9a8f81592659d370b07379da2929202c9760472ffdcb6c9eb6a6d12fd04606cf2d7f83504

Download Submit
memory/2012-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2400-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2400-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2720-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2720-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2720-17-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2720-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2820-29-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2820-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing