neconyd | 11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dc

General

Target

11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe
Size

90KB
MD5

9dc74ef365860cecd6f424c3266a58a0
SHA1

d336ca7fa16851d7a03fec28db23d62c98e0d33b
SHA256

11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dc
SHA512

e6f4aa3db6afa5387a3bc9af0dbf882d8695f2576a739673483ea2a168e438108b2a31cbb394636f3a27b008482f6f8becc184f88b97f69c3bf79f5ec5195211
SSDEEP

768:uMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAO:ubIvYvZEyFKF6N4aS5AQmZTl/5G

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1204	omsecor.exe
676	omsecor.exe
792	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
632	11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe
632	11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe
1204	omsecor.exe
1204	omsecor.exe
676	omsecor.exe
676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1204	632	11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe	30
PID 632 wrote to memory of 1204	632	11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe	30
PID 632 wrote to memory of 1204	632	11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe	30
PID 632 wrote to memory of 1204	632	11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe	30
PID 1204 wrote to memory of 676	1204	omsecor.exe	33
PID 1204 wrote to memory of 676	1204	omsecor.exe	33
PID 1204 wrote to memory of 676	1204	omsecor.exe	33
PID 1204 wrote to memory of 676	1204	omsecor.exe	33
PID 676 wrote to memory of 792	676	omsecor.exe	34
PID 676 wrote to memory of 792	676	omsecor.exe	34
PID 676 wrote to memory of 792	676	omsecor.exe	34
PID 676 wrote to memory of 792	676	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe
"C:\Users\Admin\AppData\Local\Temp\11c42be8f26b94a19b8e0d3116f67a07c2944c884437af9168feeebdc7cac7dcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
50343c73958877351f975fafdbfb0e8c

SHA1
9cbed012dbb7032738d93582d8adec525ae79688

SHA256
d953f621d2a6a7d208e0ea3aeaf0cef5902f2dc1fb46676d641a4fbdf73c6b8f

SHA512
5347fdae70d55bb1073a8d20c05c841bc0695d13b9b68360c99fbddd5354c53781c9834d874f16722b0d73bb5e61253f8d31751495a4744a4c208b99f585854d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
268bde0d6eec7c0f6d50eb2b8718e2fc

SHA1
dce82987fcff380eeff7c370b8b73facceacfcc1

SHA256
b2c918e4a65791c7c6164ad292ce0aec7c585fefec23c92fd86951f3f01a4d0c

SHA512
2fc3d7982f4a1038faf6b7df43ff0881aee45cafdfce884e7f3c8c46ac279b7ce3277e4dc1707a167451e9b09d4e5586acbb57f9c4c96a604764690efa15d236

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
70c22e115699b6ed4ac0ff59e2f6bdbc

SHA1
65b4bfabbb9f0f6792b1d3f993dffc10ccdb4ef3

SHA256
16870be09dba8915a1bcfe66cdef418957c81996b7770edcfb031d03967cc1fe

SHA512
c2753c929fbc7349a1b255e39afb9b2433da3d31778f8512ba48c3b22db612f8a4417428a0bf3feb25a1813a49cc6c99045c1f77c89ae0cce272120fdeaa834f

Download Submit
memory/632-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/632-4-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/632-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/676-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/676-28-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/676-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/792-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/792-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing