neconyd | f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0

General

Target

f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe
Size

90KB
MD5

3a8139c50c5539a1bcb271ed8c9b0440
SHA1

a18b0272247e471041f16984b460a0c5a0b32f92
SHA256

f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0
SHA512

ae3c80ac400fa1d16a7f57fa09bfb7708404dbf2666705c5ce0ee19e5b5c286d3c8f18a846895a0a0961ce5c714dda32aca6cf646e64a8a279b1a00ea09e3bc7
SSDEEP

768:tMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:tbIvYvZEyFKF6N4aS5AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2528	omsecor.exe
2372	omsecor.exe
1300	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2420	f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe
2420	f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe
2528	omsecor.exe
2528	omsecor.exe
2372	omsecor.exe
2372	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2528	2420	f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe	30
PID 2420 wrote to memory of 2528	2420	f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe	30
PID 2420 wrote to memory of 2528	2420	f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe	30
PID 2420 wrote to memory of 2528	2420	f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe	30
PID 2528 wrote to memory of 2372	2528	omsecor.exe	33
PID 2528 wrote to memory of 2372	2528	omsecor.exe	33
PID 2528 wrote to memory of 2372	2528	omsecor.exe	33
PID 2528 wrote to memory of 2372	2528	omsecor.exe	33
PID 2372 wrote to memory of 1300	2372	omsecor.exe	34
PID 2372 wrote to memory of 1300	2372	omsecor.exe	34
PID 2372 wrote to memory of 1300	2372	omsecor.exe	34
PID 2372 wrote to memory of 1300	2372	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
9175120f0b0b6e7c97574e946f850085

SHA1
fe5ec66aa2cf8272c2744a0cdb89e759b3970d1e

SHA256
5231cc91f8d6a2422fb1152fd197f524f2561d5691b71c1060f594ed79c59afe

SHA512
715908e62aab34838b44fc3709d0548cef4eec8c0f17cc8e584bda58dfb1d3db831d4b583455a1d7dab9145d3cf8494b960100112b0187b7446647643694954a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
6622eed5814f990b7bc50b0b79eeb8bd

SHA1
e634cdaec247f04cbb52f618e7c858d1fe895eae

SHA256
9f29ad8b8ad26974e6ca970a934b8f45f1501faf804f06f5868d4d7e2da932ef

SHA512
c2a2b7f49080d069073afebab14ba61d625d0663b68e35faa0ccd475086fa14e68ab53e1d9e881d1c49afd8d68eeaf7632e05fb1ac5269f64a6b8699579077db

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
7bfb4e6a35fd9e2c275a79a495b7cd26

SHA1
5992f99a22f5ce9c1d210f68fe31511411b3b7b5

SHA256
4c2d1a055359b57a71b878d38f1e877c3eed0ba3decfc1a15e93fce10cdcdc18

SHA512
4cbdade36d63f21781b52794ddd1cacb798661172166572e1c6e1cd971a84d8e6e8694f379a47f680c7ff1f5f18a38baeb12377949d8d5d527f94111a9d9e596

Download Submit
memory/1300-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1300-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2372-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2528-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2528-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2528-17-0x0000000001F30000-0x0000000001F5B000-memory.dmp

Filesize
172KB

Download
memory/2528-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing