neconyd | 466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2

General

Target

466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe
Size

33KB
MD5

8bb0f8c5173276d442c351f65756e220
SHA1

4229884a932f0df99549865f503c8569afa8bb8c
SHA256

466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2
SHA512

6dffb9ef4d934eed040a797a03e8169695fdc51fb2c9d89097291012cc7ad10a5318d63f0f0607ee90b7b94eb9b8b040c1ee2f93501a0f49809870c63367a670
SSDEEP

768:AfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7DB:AfVRztyHo8QNHTk0qE5fslvN/956qQ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2372	omsecor.exe
1536	omsecor.exe
1660	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3068	466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe
3068	466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe
2372	omsecor.exe
2372	omsecor.exe
1536	omsecor.exe
1536	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2372	3068	466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe	30
PID 3068 wrote to memory of 2372	3068	466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe	30
PID 3068 wrote to memory of 2372	3068	466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe	30
PID 3068 wrote to memory of 2372	3068	466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe	30
PID 2372 wrote to memory of 1536	2372	omsecor.exe	33
PID 2372 wrote to memory of 1536	2372	omsecor.exe	33
PID 2372 wrote to memory of 1536	2372	omsecor.exe	33
PID 2372 wrote to memory of 1536	2372	omsecor.exe	33
PID 1536 wrote to memory of 1660	1536	omsecor.exe	34
PID 1536 wrote to memory of 1660	1536	omsecor.exe	34
PID 1536 wrote to memory of 1660	1536	omsecor.exe	34
PID 1536 wrote to memory of 1660	1536	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe
"C:\Users\Admin\AppData\Local\Temp\466cbfa29c6362cba40c2b8c95030c5cf7b0ac95878c390f1cd4f3add0b538d2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
642420ce2b21fa7d1bfa96921299eed5

SHA1
a42a468f982b782627e236bfdcbb83abaa40cf71

SHA256
ad48e1e48d7544f1d65cf5a8454fdb0aa060d38f21a4f64ee4af166b3c05585c

SHA512
07a4012965961f278015ef6ea330d901b3e5580392922314308dd333e26a098b2febc00ae2cce932efbfcffa1c35283f72360d3d4e5e5c5e4c979025bc950be6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
17a35f93bf5344b4a5733b111c079923

SHA1
028937eae04137bd911ca1ef8f643cf457cbe513

SHA256
dd0b06085b96268fab65228fac01ff7058cc51aa4142a24975f7e508a2063785

SHA512
98caf4a58de4765b247cfd686a7768e40de1eb7ba4356da80877e15d538ddfac75e7b1c5dc0466a730c03c0bee738c1e5cbc7250c4c46bc87c6db032698e3f98

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
8d3cbcc39513940054834ccff3a0e517

SHA1
386b29d879b2c7154f715d5e51c428245d0f00df

SHA256
eda70db25803afd5466ceefd159edac992fae3fde7a9335d0f280afd3858d5a1

SHA512
9a62792a479d4018c9c15b3f1b7717e2c2ccbe2fcbea846518cf0375e16b8237527c1ddc7cccc3dcece4599eed16e9e74723e9329b6d0c7df4fde5928e73e162

Download Submit
memory/1536-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1536-46-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1536-40-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1660-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-34-0x0000000001FD0000-0x0000000001FFA000-memory.dmp

Filesize
168KB

Download
memory/2372-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-49-0x0000000001FD0000-0x0000000001FFA000-memory.dmp

Filesize
168KB

Download
memory/2372-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3068-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3068-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing