neconyd | aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480

General

Target

aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
Size

96KB
MD5

c3ba66124b5c044d8490874363f44c85
SHA1

c218c4b47009ed83a0c97278229f734fd36d73f8
SHA256

aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480
SHA512

701e42fa4d529790c8585d0d97430b9bf6a82f2dccb2725105d44824fb7ed536378dfce643131838e72d719e5aa569f143a6ef5053e1296e8738bf1abc2f31c6
SSDEEP

1536:lnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxZ:lGs8cd8eXlYairZYqMddH13Z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 4 IoCs

pid	Process
2132	omsecor.exe
2768	omsecor.exe
1064	omsecor.exe
2884	omsecor.exe

Loads dropped DLL 5 IoCs

pid	Process
2376	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
2376	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
2132	omsecor.exe
2768	omsecor.exe
2768	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 2376	1756	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	29
PID 2132 set thread context of 2768	2132	omsecor.exe	31
PID 1064 set thread context of 2884	1064	omsecor.exe	34

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2376	1756	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	29
PID 1756 wrote to memory of 2376	1756	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	29
PID 1756 wrote to memory of 2376	1756	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	29
PID 1756 wrote to memory of 2376	1756	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	29
PID 1756 wrote to memory of 2376	1756	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	29
PID 1756 wrote to memory of 2376	1756	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	29
PID 2376 wrote to memory of 2132	2376	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	30
PID 2376 wrote to memory of 2132	2376	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	30
PID 2376 wrote to memory of 2132	2376	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	30
PID 2376 wrote to memory of 2132	2376	aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe	30
PID 2132 wrote to memory of 2768	2132	omsecor.exe	31
PID 2132 wrote to memory of 2768	2132	omsecor.exe	31
PID 2132 wrote to memory of 2768	2132	omsecor.exe	31
PID 2132 wrote to memory of 2768	2132	omsecor.exe	31
PID 2132 wrote to memory of 2768	2132	omsecor.exe	31
PID 2132 wrote to memory of 2768	2132	omsecor.exe	31
PID 2768 wrote to memory of 1064	2768	omsecor.exe	33
PID 2768 wrote to memory of 1064	2768	omsecor.exe	33
PID 2768 wrote to memory of 1064	2768	omsecor.exe	33
PID 2768 wrote to memory of 1064	2768	omsecor.exe	33
PID 1064 wrote to memory of 2884	1064	omsecor.exe	34
PID 1064 wrote to memory of 2884	1064	omsecor.exe	34
PID 1064 wrote to memory of 2884	1064	omsecor.exe	34
PID 1064 wrote to memory of 2884	1064	omsecor.exe	34
PID 1064 wrote to memory of 2884	1064	omsecor.exe	34
PID 1064 wrote to memory of 2884	1064	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
"C:\Users\Admin\AppData\Local\Temp\aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
  C:\Users\Admin\AppData\Local\Temp\aae06b61ed06d33987c70fac2b9234b09ea73612432f7118d0bc0819e980d480.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
0301705ee6f6e4f555c232bd1cf7135d

SHA1
ad79d01bc50eb1ce7a3ee18a14e0f2b0ee974bae

SHA256
90579ff960ceaeaa56356659abf95370adca4fc33087e0f5144a6ea98313f1a9

SHA512
0a269a44dd1a7af1349f4b82845cd5cbfb1958c05e3542570b751f8504d08da148c9a91710d823a1ba9683409ecdc2ed297c8c87ff543ec6d3fa07a5cdecae46

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
ad771480f9dfd3d9efc807d8b6c369da

SHA1
5de34309ccb9983b8a939e72dcc138f5f561c0e5

SHA256
8913368f29b785f8b9a1b8f5fd502750c0cfddbb1e909b8865d3fd8e8d3b69af

SHA512
1afee808714340da1a998a99373488b83af40b5e809a36ca2d7f54437d876cff32b7c15b91060662acc6dae535ddf7f862133b2ef77ea8cbe8654138c3af2ec7

Download Submit
memory/1064-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1064-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1756-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1756-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2132-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2132-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2376-13-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2376-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-48-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/2768-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2768-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2884-70-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing