neconyd | 9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06

General

Target

9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe
Size

90KB
MD5

76bb43664d3cadfb344f5cfd88c2356a
SHA1

847b9ac72156ce1fbcbf7540059144aed9719409
SHA256

9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06
SHA512

a0e35ce5d2c0696b9b87de8964527eb2d1f0107239b708d1a81711b894d083bda3133890ccfad88b2c9c248edfa6c824f579c94cd292623313507eb4ea3a054e
SSDEEP

768:uMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAK:ubIvYvZEyFKF6N4aS5AQmZTl/5y

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2184	omsecor.exe
1704	omsecor.exe
1300	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2128	9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe
2128	9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe
2184	omsecor.exe
2184	omsecor.exe
1704	omsecor.exe
1704	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2184	2128	9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe	30
PID 2128 wrote to memory of 2184	2128	9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe	30
PID 2128 wrote to memory of 2184	2128	9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe	30
PID 2128 wrote to memory of 2184	2128	9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe	30
PID 2184 wrote to memory of 1704	2184	omsecor.exe	33
PID 2184 wrote to memory of 1704	2184	omsecor.exe	33
PID 2184 wrote to memory of 1704	2184	omsecor.exe	33
PID 2184 wrote to memory of 1704	2184	omsecor.exe	33
PID 1704 wrote to memory of 1300	1704	omsecor.exe	34
PID 1704 wrote to memory of 1300	1704	omsecor.exe	34
PID 1704 wrote to memory of 1300	1704	omsecor.exe	34
PID 1704 wrote to memory of 1300	1704	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe
"C:\Users\Admin\AppData\Local\Temp\9d36448b4bb821ad8659c0e7710498e4d85ca4b25485bb3057af62844eb70b06.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
ede3429f891b692bfe5bc99a98e31381

SHA1
1b8654615275f44a289f9c23c278370a00d800e0

SHA256
274af23e4410c1d588f79a6079c3858d324bcaad8b22eb8fc60863a439b293e3

SHA512
ae8773679990f96bb1486b85ba484b63343387c3ad06739803bd1ea9f2e3624fd680f71124209710e3477723b75f5511ce6037183da011225848b9dff7b23f80

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
c33df7e570355b45860c4e4cdb517576

SHA1
c87a936b6f00ad64df62f6d96c43b529cf1633f0

SHA256
218cefae9539773e76431cc7f50f6bd689f1fa58d5ade23dcbb1cb4faf540b7f

SHA512
ced8353a21a69c77d9f4a6bcc4c7244576e52160c23b084d270330a5987665de0eb3e9de57868364382654ce902b8f302326b665299aa302a09a288266f644e2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
f12bedfe82f40214b4d81a836e1c775b

SHA1
c8ddf9fa84f287d63203d9773d90e373f8b3b3cd

SHA256
d326701de244a0163525aeff286db1e1dffb62e455a9e09a0f9f5373a7158fb5

SHA512
604a202668d2147be20662f8510e34231f08414d5579429420137e4a6805865dcfd73a1de7b1a3084b373003bd0ed08abc153238666ca1ff3396fef3b4c1da88

Download Submit
memory/1300-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1300-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1704-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2128-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2184-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2184-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2184-16-0x00000000002A0000-0x00000000002CB000-memory.dmp

Filesize
172KB

Download
memory/2184-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing