neconyd | 11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42

General

Target

11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe
Size

76KB
MD5

48ad7263b9b37f8977194f9c4bfc6070
SHA1

2357f8d7e4feb8b9396ee09784c2f6acde2d14dc
SHA256

11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42
SHA512

30b748fbff66f5ffb0bc7349202dd1bd1edfee763a5ac1d9455553e5712636e29956a912e3b97ed2f227302f43c60352d8d6d76e7dcac8044d05e6cfa2d6dd59
SSDEEP

1536:3d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11V:/dseIOMEZEyFjEOFqaiQm5l/5w11V

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1748	omsecor.exe
2820	omsecor.exe
2208	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2536	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe
2536	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe
1748	omsecor.exe
1748	omsecor.exe
2820	omsecor.exe
2820	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1748	2536	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe	30
PID 2536 wrote to memory of 1748	2536	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe	30
PID 2536 wrote to memory of 1748	2536	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe	30
PID 2536 wrote to memory of 1748	2536	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe	30
PID 1748 wrote to memory of 2820	1748	omsecor.exe	33
PID 1748 wrote to memory of 2820	1748	omsecor.exe	33
PID 1748 wrote to memory of 2820	1748	omsecor.exe	33
PID 1748 wrote to memory of 2820	1748	omsecor.exe	33
PID 2820 wrote to memory of 2208	2820	omsecor.exe	34
PID 2820 wrote to memory of 2208	2820	omsecor.exe	34
PID 2820 wrote to memory of 2208	2820	omsecor.exe	34
PID 2820 wrote to memory of 2208	2820	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe
"C:\Users\Admin\AppData\Local\Temp\11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
d0985d587a2fd084db06df75c8cb364f

SHA1
ae9132fce044c7d007d73116555658c620290b00

SHA256
de5a84d8dfc626d622c95d92608004e33ce89b1bc2fed6cf5dcd16cd1c240d0e

SHA512
4741f706f06448cb2763fa9baa2ef7d56177fa9f6e120f5f46279d8321a52d993446ec844901b7eb4427f21de1153def62415f181e7ce82b6c03afc5f78a50d6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
bf31ac27608788248f115eb1f218bf22

SHA1
ca1e30c69b926ff8b25be8220e4bcda08719a302

SHA256
42b749b981c46e1049e08e5b26731ecab689f95d3eb31cb4a2323bc65369eeec

SHA512
a29082302e48aa3020e5603e38aca2c2d5fb0f49443bf70c647dc748f09e918f81e72546b8ff83f727ac96d41ecff715de6f1526137ab1a9b2c9cc7291ba4ca3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
708b8a24270dc586b7ba284a718ae74f

SHA1
f04cfab047d057f48abc76b0f83251c7fdf271d7

SHA256
34e534711c4ef017227864b499f2dda76db4b81c46ae5fb76af7d4c565835a76

SHA512
7c03fa76c33d89f6d625b069a60ae44fe2bdc1c5bc5a2ed795d8a288aebdd9aa91495bdc2ff0fb9588372820fee0ddb3732300e458ed40f63f5b5efc1b50eab0

Download Submit
memory/1748-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1748-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1748-16-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1748-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2536-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2820-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing