neconyd | 5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5

General

Target

5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe
Size

65KB
MD5

5082b2e5147f1b4d7e65056ee998085a
SHA1

1074978aadba45482646ddb15d015fd50ce8def8
SHA256

5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5
SHA512

efa25bb2b9564fab813c388fe329af9346e2d2dfd5a4681324a2217b6c81c77aa523db59ac53791e242f0c3beb73202f15009db9cb7099e5689611c3c2080be2
SSDEEP

1536:Ud9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzf:sdseIO+EZEyFjEOFqTiQmRHzf

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2864	omsecor.exe
2512	omsecor.exe
1744	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1872	5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe
1872	5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe
2864	omsecor.exe
2864	omsecor.exe
2512	omsecor.exe
2512	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2864	1872	5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe	28
PID 1872 wrote to memory of 2864	1872	5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe	28
PID 1872 wrote to memory of 2864	1872	5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe	28
PID 1872 wrote to memory of 2864	1872	5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe	28
PID 2864 wrote to memory of 2512	2864	omsecor.exe	32
PID 2864 wrote to memory of 2512	2864	omsecor.exe	32
PID 2864 wrote to memory of 2512	2864	omsecor.exe	32
PID 2864 wrote to memory of 2512	2864	omsecor.exe	32
PID 2512 wrote to memory of 1744	2512	omsecor.exe	33
PID 2512 wrote to memory of 1744	2512	omsecor.exe	33
PID 2512 wrote to memory of 1744	2512	omsecor.exe	33
PID 2512 wrote to memory of 1744	2512	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe
"C:\Users\Admin\AppData\Local\Temp\5dec60b483090bd6925b7810da127926db7f827d5b33e64c4acad05f9a18c8c5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
2f92c8f0887c3430916818a6bb00b0f3

SHA1
cedb595e11c73faec46875f2ce80b1389f7609f6

SHA256
dc209dcee904b467f209b1915f0209318c7f190a0c6b85cbdd66e9196af3f63d

SHA512
9718956553a9f84a5a1657c7fb00eab87f555afc91d2922cca00db5a418b67e0f2a38677e8edcab141b11a031a239e4fa1dc7ee25139dd13da62d0b8285ab0a6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
242f6fc8c4344462b25ccc0d7f352510

SHA1
28ac93a33d926e9062179f895adea6c394027cbd

SHA256
8f093eb8d667defebdc2eb81406f7a4e23753ec8a9b6848a5bd0ec814a1912e8

SHA512
fc24ad5c441f3a1edb39acadd96b832af29076fb369c848da557824fff6b9de1ead16e41bc614a20669d5191e107f4cc8e84cf76e7a1efa4663184e7e9d70d88

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
0595a6d4f052bed6741c8ffd69df3e68

SHA1
51f6327342139cc5d5751e53340f1bac278369d0

SHA256
9479ecb59d13b2f11dc074ea1ed5bf1ad803947e45aaede9854bc72db7ac9643

SHA512
daf8f6962f95d10792e81a52a47a1c8099008d7740cc05798df481002c8d9e1a05650970f0d39a29c27ab9e91162ea0bb1300b00e4c4dd8130d9f40f5f1dc1fb

Download Submit
memory/1744-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1744-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1872-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2512-28-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2512-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2864-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2864-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2864-16-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/2864-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing