neconyd | a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3

General

Target

a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe
Size

65KB
MD5

ad1b2166005f6267650b497d06a5daa0
SHA1

fcb349de5138a3f5c3a7a17785615ad25191d5f1
SHA256

a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3
SHA512

a8035e04437bbe2b6d249b9645f49ed79d994210bc25bf19dc1d059966bee2c448d32ab3c5c1b49416b8777ac4e892752510ef2531272ead69d2e8ebd805f5b0
SSDEEP

1536:Ud9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:sdseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
952	omsecor.exe
1552	omsecor.exe
1156	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2608	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe
2608	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe
952	omsecor.exe
952	omsecor.exe
1552	omsecor.exe
1552	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 952	2608	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe	29
PID 2608 wrote to memory of 952	2608	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe	29
PID 2608 wrote to memory of 952	2608	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe	29
PID 2608 wrote to memory of 952	2608	a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe	29
PID 952 wrote to memory of 1552	952	omsecor.exe	31
PID 952 wrote to memory of 1552	952	omsecor.exe	31
PID 952 wrote to memory of 1552	952	omsecor.exe	31
PID 952 wrote to memory of 1552	952	omsecor.exe	31
PID 1552 wrote to memory of 1156	1552	omsecor.exe	32
PID 1552 wrote to memory of 1156	1552	omsecor.exe	32
PID 1552 wrote to memory of 1156	1552	omsecor.exe	32
PID 1552 wrote to memory of 1156	1552	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe
"C:\Users\Admin\AppData\Local\Temp\a82fcb511219d06dc550e0551742c911c97745058c86bed7fa117246cf4e90e3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
06564ad7d594f98f9f5d44a7f7d5b8b2

SHA1
268fa1ddc0808e52f6bdfb79f6676f057dd68a06

SHA256
7a0fd9729e010f52a67766af417b2072b2c433f1fe7cc107510a9fe36fcc3bb1

SHA512
3323b203e140d7359d49bec0c8289e1419426cb0af6fa5cff6d897d135f8e839e332c245ac8db1778021600ac514e8202c9840553947e7712d0a1fc5571c3bb5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
a7e1a9286af24893128c0761c66bd839

SHA1
89f00c3d9347a566bae5aafa9631040e5bfcee10

SHA256
229b04c59d94217a56b8e4dcae5ba03779d702a457d96db908dece60cd3c67fe

SHA512
7c0d22ee74ccac95af29dceff72fa6b2f096473f7ad0f951f18c7036393d1f318016bcc215dd0b613fefccb2c1bc68d630c990d46d038c64ece6bbb4e500568a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
5d949e05a3054d8e72170edd68d675f8

SHA1
cb1c67d3cb8361e0e807cf683ed4285cc08ecbc1

SHA256
021ab77f41d4f9926cd722522bd3927b5b73fc7782b40427f5a4ece7cda46e54

SHA512
ce7fc03542842e239ec46b6813013df6d80c7f98e0f7f65bc1ecbe833d0968b56838b1986513ee795a3a1219a0bd3f648e608726588a7bef398b398df2a392f7

Download Submit
memory/952-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/952-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/952-16-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/952-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1156-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1552-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1552-29-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1552-32-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1552-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2608-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing