neconyd | 011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681

General

Target

011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
Size

71KB
MD5

7ddc1a5c59e68242c7687033f8af05c1
SHA1

643c3a979d53d748afcb2631343693a6a3cf210e
SHA256

011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681
SHA512

ec5a2dbae1a4715b409bfb892c2227ca9c98eba5a54853c5094e485a2fb09b92115c1b8edd7d4571c26ca1470d3251ce837f1c71e68f9a45ed7d815f4b750580
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHf:TdseIOMEZEyFjEOFqTiQmQDHIbHf

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2156	omsecor.exe
1992	omsecor.exe
1528	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2200	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
2200	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
2156	omsecor.exe
2156	omsecor.exe
1992	omsecor.exe
1992	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2156	2200	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe	30
PID 2200 wrote to memory of 2156	2200	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe	30
PID 2200 wrote to memory of 2156	2200	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe	30
PID 2200 wrote to memory of 2156	2200	011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe	30
PID 2156 wrote to memory of 1992	2156	omsecor.exe	33
PID 2156 wrote to memory of 1992	2156	omsecor.exe	33
PID 2156 wrote to memory of 1992	2156	omsecor.exe	33
PID 2156 wrote to memory of 1992	2156	omsecor.exe	33
PID 1992 wrote to memory of 1528	1992	omsecor.exe	34
PID 1992 wrote to memory of 1528	1992	omsecor.exe	34
PID 1992 wrote to memory of 1528	1992	omsecor.exe	34
PID 1992 wrote to memory of 1528	1992	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe
"C:\Users\Admin\AppData\Local\Temp\011dfba13ff74b5dac784c394a342dd204bd708dbcc2d35b808fb985e7efc681.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
e5fa2528e594d55396f1ce884565d3bc

SHA1
4aec927bec4b5605893d4781dedd7dc017c3e2ca

SHA256
1beebee7485d2769b07c25af69a7c79e92da8d08ecc1ac20dbad9faad6f8ec42

SHA512
cfdbf0ef184448565fc62f0d153ff0bd959c2d6f9f0fa38a3e4eb2aadcb34a03d0a50a3e6b28af13d96af6ef547448da5ea91545149b337dce23765abaed6520

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
70eb4a3c9de9142b93c8f0a2496a634a

SHA1
194f0e6ddfc81d5a202c8164edff01cab3517a35

SHA256
27b25b39a6abed85cb8d982e6a0bb2da11e561a7125ef6af67984395d997ec5b

SHA512
44f809d7480e9bbddbb0867caa687c281337ea81a1db14138e5d6711c4ac5523afbf4a3081cd06b012f62dacda4c5ab194475a0cc7fb6a03b5d160efa869b495

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
c990031a4efe6fd6e33ccfb63984daff

SHA1
6ef034e3cf9bf100f2c7787fe082574362000e6b

SHA256
b065acf63963090d2c21a7698da5376895d5cd85094d8e2f3c5db143cbc07857

SHA512
a75d83e3184ba739705a2798d30bb2a733e8c27f4e6ef194842438756a9f8a7806b99592874f6b594ecedc7564326c70dfb887b58ba73e285954dbe0dbf4c9ef

Download Submit
memory/1528-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1992-29-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/1992-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1992-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1992-37-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2156-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2156-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-4-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing