neconyd | 735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3

General

Target

735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe
Size

90KB
MD5

0f4662f4a3e895d04e9545bbb712e8d0
SHA1

32344fe5ff404341298aceae54e1fb5961afb94e
SHA256

735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3
SHA512

6ab8c15638f42a00dd373099ae46baae3e0668e8bc096e573ed4158d2fdb115d003f2245ba02bd1f68489380a822f8549d6b1493dba6b9d5b3b120bd7efe0157
SSDEEP

768:zMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA6:zbIvYvZEyFKF6N4aS5AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1556	omsecor.exe
628	omsecor.exe
2956	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2556	735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe
2556	735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe
1556	omsecor.exe
1556	omsecor.exe
628	omsecor.exe
628	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1556	2556	735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe	30
PID 2556 wrote to memory of 1556	2556	735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe	30
PID 2556 wrote to memory of 1556	2556	735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe	30
PID 2556 wrote to memory of 1556	2556	735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe	30
PID 1556 wrote to memory of 628	1556	omsecor.exe	33
PID 1556 wrote to memory of 628	1556	omsecor.exe	33
PID 1556 wrote to memory of 628	1556	omsecor.exe	33
PID 1556 wrote to memory of 628	1556	omsecor.exe	33
PID 628 wrote to memory of 2956	628	omsecor.exe	34
PID 628 wrote to memory of 2956	628	omsecor.exe	34
PID 628 wrote to memory of 2956	628	omsecor.exe	34
PID 628 wrote to memory of 2956	628	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe
"C:\Users\Admin\AppData\Local\Temp\735677d4143d776df89593901f262fbc479aa22bfc80db6ee91b6ec0efa819e3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
5c6595cbc6600107c4ec47c15caf79d2

SHA1
48abdaa3a16929f1bc6a09d1c073e6151a61561c

SHA256
a248a3df8f62406020a1e9a961e94a35946741ed705acb0edfdce190a7856585

SHA512
775ab21c8da8f73efdd377447abd4ce80642eb1f60fb9d9874de69a0f19b3564aeec57716151a60ed5fe5f8268508be5031a2fd22eb95d2fbe4637965fd7fbce

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
97d53ca24a7428b46ee5f39cb3fde468

SHA1
d4d6c8c70961b9c57c7b95dc168563bbc03a7e99

SHA256
4c0b15509e1cae956e10c84bf897e39b83fbd1b87ac377dbb5fb685cc4ca11a7

SHA512
ad56d29a9c82975b675fe25def943ce06bdb92c38d5493e5ab73743f8a33fa6cc49ef1ffc6fdbf032ded759646182e414a412a67aefdd85ed581ecc38c213b27

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
e63289d3dcf9943b92cbdbaad3b2270e

SHA1
dfb6856e4e9222cb837e53e74f1442c47abe6bce

SHA256
f5003b9262d97605fdd034b7a62efa464b6413550f5bfc72f739a75740cb15c9

SHA512
06f890aa6ce708e6ceec43df5510bbce8341cbaa3c8a6b15cd28ffaec1f5b7911375f2b9ee3e34c394b3425a23e7cc8e7ae9134d728d6eb49d5ff38b3dcfe67a

Download Submit
memory/628-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/628-38-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/628-34-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/628-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1556-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1556-23-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/1556-22-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/1556-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1556-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2556-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2556-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing