neconyd | 3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3

General

Target

3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe
Size

33KB
MD5

e5b42dd7efabacf213b0424c30e7ae8e
SHA1

f77548bd265bf7e742a37ddfa47b154a845a3567
SHA256

3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3
SHA512

ee79cf176c41424e0487571eb9d59c57a8e2544f1b9acbb6e15feccaf0eac441d6ff3a8825d5ad2d57e2b106ab65e78007fc65d9cb95136b1c6904da9822adb2
SSDEEP

768:0fVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7DF:0fVRztyHo8QNHTk0qE5fslvN/956qo

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2060	omsecor.exe
948	omsecor.exe
2908	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1640	3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe
1640	3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe
2060	omsecor.exe
2060	omsecor.exe
948	omsecor.exe
948	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2060	1640	3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe	30
PID 1640 wrote to memory of 2060	1640	3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe	30
PID 1640 wrote to memory of 2060	1640	3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe	30
PID 1640 wrote to memory of 2060	1640	3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe	30
PID 2060 wrote to memory of 948	2060	omsecor.exe	33
PID 2060 wrote to memory of 948	2060	omsecor.exe	33
PID 2060 wrote to memory of 948	2060	omsecor.exe	33
PID 2060 wrote to memory of 948	2060	omsecor.exe	33
PID 948 wrote to memory of 2908	948	omsecor.exe	34
PID 948 wrote to memory of 2908	948	omsecor.exe	34
PID 948 wrote to memory of 2908	948	omsecor.exe	34
PID 948 wrote to memory of 2908	948	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe
"C:\Users\Admin\AppData\Local\Temp\3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
5b24490bc25bcfff2220736c40d324c6

SHA1
141df748d6e2ebb93f7a60569f5391407fc1d02a

SHA256
728793d530a87c1379b45bbaee3ebb612ae1eec96f85f24c2b8adc9c299dde24

SHA512
c1d8f8805d87db895aeab0e11545c10e10f746b492785aedb25bbd35a92d7e21ba5ad6c3f01bfa5f46d88a69a1a8a665a05e45b4ba45992f462f0a51584908ca

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
393997deab0a543f8dcf64809d57e34e

SHA1
e34ae14e9a95374558f00808f5d84f8960d66006

SHA256
ccddcd4f52b1b99cc613d7c9c06d1c5a4f2949f5a5d4f07cd8218bcb0809733f

SHA512
3e391ad644b9942f35331bd2d8b85b61a72672af0a0f19d75101670e5301c9464fc12eae1a74afcfc7d83e40da66f08d43f84bbfe340cbf2c93a35a06e08d716

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
250c9874496aef76b7aa69abb1f93c35

SHA1
fe26a28a6c2d6f1adcab9b013c20dbdeec132f7a

SHA256
22851def96834dbcc9e1d183c76af109a8deba3332c3c536ff30e7e60cb9433e

SHA512
3f279144189e73dc99e07e74bc759121db2857a662a680ca96238ff054986008a019695386277f8674f77fe2539085c19cfedceaf2cb59bcde8f914e3869b2f3

Download Submit
memory/948-39-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/948-45-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/948-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1640-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-25-0x00000000027C0000-0x00000000027EA000-memory.dmp

Filesize
168KB

Download
memory/2060-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2908-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2908-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing