neconyd | 24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71

General

Target

24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe
Size

71KB
MD5

fbfd6ceec92235dbd62511953284ff0c
SHA1

2d823371212511f61382601ac233ed60e624896d
SHA256

24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71
SHA512

e0ab32877220df84be9cb1540762bd7da831b425e176152ef884b2d8895b5246c67d06e4ccfe29f1f199fb492dfeba13cced8ee8b4b5f0fe33c877ef8611a13c
SSDEEP

1536:dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHP:VdseIOMEZEyFjEOFqTiQmQDHIbHP

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1728	omsecor.exe
1140	omsecor.exe
704	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3016	24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe
3016	24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe
1728	omsecor.exe
1728	omsecor.exe
1140	omsecor.exe
1140	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1728	3016	24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe	30
PID 3016 wrote to memory of 1728	3016	24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe	30
PID 3016 wrote to memory of 1728	3016	24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe	30
PID 3016 wrote to memory of 1728	3016	24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe	30
PID 1728 wrote to memory of 1140	1728	omsecor.exe	33
PID 1728 wrote to memory of 1140	1728	omsecor.exe	33
PID 1728 wrote to memory of 1140	1728	omsecor.exe	33
PID 1728 wrote to memory of 1140	1728	omsecor.exe	33
PID 1140 wrote to memory of 704	1140	omsecor.exe	34
PID 1140 wrote to memory of 704	1140	omsecor.exe	34
PID 1140 wrote to memory of 704	1140	omsecor.exe	34
PID 1140 wrote to memory of 704	1140	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe
"C:\Users\Admin\AppData\Local\Temp\24abcc49509da980f743a24b87999bf42c7a0cd21667bc1f74a714cc9c1b0f71.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
d3cc034cbb39415bbe4de7d92d9bb0bc

SHA1
5e6280f787b2c3ed171b866f9c1caae14956598c

SHA256
0c872d84f8a63762cf84ddfbf8a6b888b2bb157fa1f858b30c25079becd1fd72

SHA512
11cf225a4101c19bd0f45921408218027711fc43d50857d94f69cf0bcde56ee5641275214cbdb45f47ffa50f9fac8997129c07cde8bdced3d36868c287f69988

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
d2e8efb4bff74b7b79c9e72b5ed4c6b8

SHA1
d0f09c4adfbbc84caf4defc82b2dc22be615860d

SHA256
e2ae741c3db6444e9dd52e7ba156d0f364b8a607d5a6d949473409ae31709bb4

SHA512
e628ab2c477b6f3d4d58a93ea49f40ca6b68ca3eeef02519613d89f7b7255311f4cd59a7b142d2cc9f25e93af471a6c47129c9aebcbb7e384d6eb7d67302d6d4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
8f88f36612872ec0b0cbcdcacacebb2e

SHA1
cfd828a9ed2b29c47667083dd1fc85983005f5ac

SHA256
79940a5f1b4c78f965d5583a4fbab90fe834e1ae3c8f5ca83eceb0adb315bd0c

SHA512
7441a3f2910f34f424414fa78194c7f530d8ab8333a6ce78169c7b0c060b2bc8b0de0a9acf3b49e342a2370e7ceea90246836ce871beec3665f332f2fe6dd0d0

Download Submit
memory/704-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-32-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1728-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1728-23-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/1728-24-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/1728-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1728-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/3016-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing