neconyd | 9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942

General

Target

9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe
Size

71KB
MD5

64b0bf70fefe4bf1296961ce787bfbf0
SHA1

289a69ff9545ce549ed89088fc1ff0fa24444a12
SHA256

9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942
SHA512

be8a610a89b5bf1c3f462378fcddcf85a8ea8f079fc67cf88afc054ecfe7f77301f563218ed64f12a20fc110b9fc3acdae2ed3c61f310342d7766328ce6d6b6b
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:TdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2692	omsecor.exe
1608	omsecor.exe
1888	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2644	9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe
2644	9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe
2692	omsecor.exe
2692	omsecor.exe
1608	omsecor.exe
1608	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2692	2644	9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe	31
PID 2644 wrote to memory of 2692	2644	9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe	31
PID 2644 wrote to memory of 2692	2644	9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe	31
PID 2644 wrote to memory of 2692	2644	9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe	31
PID 2692 wrote to memory of 1608	2692	omsecor.exe	34
PID 2692 wrote to memory of 1608	2692	omsecor.exe	34
PID 2692 wrote to memory of 1608	2692	omsecor.exe	34
PID 2692 wrote to memory of 1608	2692	omsecor.exe	34
PID 1608 wrote to memory of 1888	1608	omsecor.exe	35
PID 1608 wrote to memory of 1888	1608	omsecor.exe	35
PID 1608 wrote to memory of 1888	1608	omsecor.exe	35
PID 1608 wrote to memory of 1888	1608	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe
"C:\Users\Admin\AppData\Local\Temp\9cfdaab58edcca5b8ccd8f35bd2f13198ef19cc2c6572da18cc793734710c942N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
ed894022ef4b3e6f11280cc3968cfc81

SHA1
3f2fb5c0e47bc8321739db23b029866bd9ee369e

SHA256
e468b5fd32fb186a4b35740741b8fda71d2bf0e9a6adc49e728ce6e958e00d8b

SHA512
c0db1b68a82de37daa4e585d9b27e4fb00051dd9bc089ff8282de296e98e393d1cfe48cc0267025ed1875fddec229e6fd40a6d7f4c36268804657d0558ce782f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
52ca529332aca356f33798a762b038fd

SHA1
d8acbc5b6de69903b74c75232cef250a7554c441

SHA256
d11f4ecf43a23943d5b67bf91c01ac9ceccad9308317eed14a362d59dddba518

SHA512
b97dc14ede342c218031e47a6b0232e9ee3fc93383473ad12c8fe36c3a747d66ebdcab9fc0266caf43b5b6e2bd71c111ef821e508421dc1f92ffe14046feaeef

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
36fc1e8b2c17b310300efc2201d1065a

SHA1
da7fca071100c65977718d8fa27a048137c4e56d

SHA256
da27248e345720f49d9923d730f94b9c7ba2e19a845b06da6975208f2946b731

SHA512
28a975102b04cab1be0c088fb736566e52ab379325dd248da3ad3d95bad92aeed6c390b55e28bcd42f5050cb743cbbf4368879234fe58c591b3923233136b218

Download Submit
memory/1608-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1608-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2644-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2644-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-17-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/2692-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing