neconyd | 11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6

General

Target

11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe
Size

76KB
MD5

5018c87cd0f8eb82a4e26033be36b218
SHA1

f1a5372ea62b5f6721675b867606896e8e9c7d77
SHA256

11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6
SHA512

ec7287fc0a0934dc2bfd91ca6c6363e3315050ff46cabd906cbfb60cc4f12e5965a49278bd67f4827406f1d7ccd46d5d8c3a6d192305c2c5d984d122aba7fde7
SSDEEP

1536:9d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11l:1dseIOMEZEyFjEOFqaiQm5l/5w11l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1640	omsecor.exe
576	omsecor.exe
2908	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2556	11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe
2556	11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe
1640	omsecor.exe
1640	omsecor.exe
576	omsecor.exe
576	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1640	2556	11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe	30
PID 2556 wrote to memory of 1640	2556	11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe	30
PID 2556 wrote to memory of 1640	2556	11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe	30
PID 2556 wrote to memory of 1640	2556	11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe	30
PID 1640 wrote to memory of 576	1640	omsecor.exe	33
PID 1640 wrote to memory of 576	1640	omsecor.exe	33
PID 1640 wrote to memory of 576	1640	omsecor.exe	33
PID 1640 wrote to memory of 576	1640	omsecor.exe	33
PID 576 wrote to memory of 2908	576	omsecor.exe	34
PID 576 wrote to memory of 2908	576	omsecor.exe	34
PID 576 wrote to memory of 2908	576	omsecor.exe	34
PID 576 wrote to memory of 2908	576	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe
"C:\Users\Admin\AppData\Local\Temp\11b301a791e05917a86109e1b12e5cb17e29e2269cb5fbbab4f74a4d44991cc6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
29edb954d2a41c8cf32f1a79732c4ede

SHA1
301584d7be7d3490e8047dca7a01db7f1daad019

SHA256
3689c8da24a86bf7d7a8d612bff946d19740ce475bbf2c0a8af179080811ce11

SHA512
6bccfa8fb3ec2ee639b606174d84090609afb7040bf2d1ee4ab46cbe97f07284e13f7808e4381b9543e48eaead26fa4cd345598c602e2ba986cfa06b64991c3c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
4fe7b66d9a81124149c3ae6956fcebc3

SHA1
6505cda60a54efc8515e214101b7b205a9e08850

SHA256
616cf8fc5bb1f4f8fdd9fb9e571b4eace50bbc5a0d60fd46899157de484d06d4

SHA512
40409836231ae62c82587198ac7de4748e0af7989b1ae5069902800342383b4a40761bf51e50dfe267f98cf25a69e33b010c7cbe8a2af9b0febce41b5fee8694

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
138f7c6c2847bb84c0cbdf05246c6589

SHA1
daa951f482a53ca6c0af73e65244474eb72f5d84

SHA256
ae998ced8a7e28a3a4ade25ff30fbc400e9e8a6e9d25067d6808fa04af166f00

SHA512
7bff56bcb8488507df690cce89f07df6ad2a22ff9b7cb2d6de4a5b8046b212a26fb6b9c072f4f76b9793010edf8ec909bb83fc6a5065bc0e23dfc5ce21c9a328

Download Submit
memory/576-30-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/576-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1640-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1640-18-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1640-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1640-23-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2556-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2556-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2556-4-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2908-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2908-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing