neconyd | 11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42

General

Target

11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe
Size

76KB
MD5

48ad7263b9b37f8977194f9c4bfc6070
SHA1

2357f8d7e4feb8b9396ee09784c2f6acde2d14dc
SHA256

11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42
SHA512

30b748fbff66f5ffb0bc7349202dd1bd1edfee763a5ac1d9455553e5712636e29956a912e3b97ed2f227302f43c60352d8d6d76e7dcac8044d05e6cfa2d6dd59
SSDEEP

1536:3d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11V:/dseIOMEZEyFjEOFqaiQm5l/5w11V

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2672	omsecor.exe
2900	omsecor.exe
2120	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2076	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe
2076	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe
2672	omsecor.exe
2672	omsecor.exe
2900	omsecor.exe
2900	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2672	2076	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe	30
PID 2076 wrote to memory of 2672	2076	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe	30
PID 2076 wrote to memory of 2672	2076	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe	30
PID 2076 wrote to memory of 2672	2076	11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe	30
PID 2672 wrote to memory of 2900	2672	omsecor.exe	32
PID 2672 wrote to memory of 2900	2672	omsecor.exe	32
PID 2672 wrote to memory of 2900	2672	omsecor.exe	32
PID 2672 wrote to memory of 2900	2672	omsecor.exe	32
PID 2900 wrote to memory of 2120	2900	omsecor.exe	33
PID 2900 wrote to memory of 2120	2900	omsecor.exe	33
PID 2900 wrote to memory of 2120	2900	omsecor.exe	33
PID 2900 wrote to memory of 2120	2900	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe
"C:\Users\Admin\AppData\Local\Temp\11ae9903a395a563272d35759059258b454f643edd9cba73be3d72b3a4d74b42N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
8ef4ea10ba7edc62c87d2d4d01082eac

SHA1
39ce71ff3c6d2c888b2d6950008e572b6edb809f

SHA256
e07a54bd5d07dc34bedc56eb2895d0a4f0056744d05244214ff94c26d711316a

SHA512
4fa2f19ed2afa71162abf6e0a6d79bec0febea743c51216de71c9ba28b52f581eda5aaa7d515640d5c55729bb6cf256008640e86fbc579da2ed47ba1e40a878e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
bf31ac27608788248f115eb1f218bf22

SHA1
ca1e30c69b926ff8b25be8220e4bcda08719a302

SHA256
42b749b981c46e1049e08e5b26731ecab689f95d3eb31cb4a2323bc65369eeec

SHA512
a29082302e48aa3020e5603e38aca2c2d5fb0f49443bf70c647dc748f09e918f81e72546b8ff83f727ac96d41ecff715de6f1526137ab1a9b2c9cc7291ba4ca3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
74c2504aacb9b39ec677cf07b5a1c4bc

SHA1
043b3cea64dbb76e89bf706ad7a5c61fa4fdf4a9

SHA256
7b2b74735b71225a2f34d50d6456ac312ed07090a2d362151bc853206d0abcdc

SHA512
df172bc56196909a2bb2b8de89d24bcc435bdb73c5797e32699470cdadc9047f78235551831ae5cf7218a4f6fa82f94cf1e2c1647106e341537eb5250ef46c7d

Download Submit
memory/2076-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2076-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2120-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2120-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2672-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2672-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2672-18-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2672-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2900-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing