neconyd | ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c

General

Target

ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe
Size

71KB
MD5

87368cd8a1918b236a04697cd00d6e81
SHA1

09423f43acfdef26398ee2168f2e40c5bcce2a1b
SHA256

ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c
SHA512

1d593361ce2f834657365441a9eac496aafccccf9a3d5fc7aec406c9252cc4f6b55a6c1e01be182bdaaa62bb316eb2e520f800454fab9bcd3259f9ca92d8bb52
SSDEEP

1536:4d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHX:IdseIOMEZEyFjEOFqTiQmQDHIbHX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2368	omsecor.exe
2688	omsecor.exe
2136	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2548	ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe
2548	ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe
2368	omsecor.exe
2368	omsecor.exe
2688	omsecor.exe
2688	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2368	2548	ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe	31
PID 2548 wrote to memory of 2368	2548	ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe	31
PID 2548 wrote to memory of 2368	2548	ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe	31
PID 2548 wrote to memory of 2368	2548	ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe	31
PID 2368 wrote to memory of 2688	2368	omsecor.exe	34
PID 2368 wrote to memory of 2688	2368	omsecor.exe	34
PID 2368 wrote to memory of 2688	2368	omsecor.exe	34
PID 2368 wrote to memory of 2688	2368	omsecor.exe	34
PID 2688 wrote to memory of 2136	2688	omsecor.exe	35
PID 2688 wrote to memory of 2136	2688	omsecor.exe	35
PID 2688 wrote to memory of 2136	2688	omsecor.exe	35
PID 2688 wrote to memory of 2136	2688	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe
"C:\Users\Admin\AppData\Local\Temp\ec91724a07852fa5a9eccc6c2bc90898593ddd03a48d58da158207885101700c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
804d29bd310ed6766ec6814e3e8c0ced

SHA1
301437d5c7d5a60b52499acfdf67e650d84368cd

SHA256
2bc6cf971e309887513c684723045f2895cc8d5074fc82cf6bc299dc8e7b7a54

SHA512
3fed605fa00da0385c14a21337664765ec21da0acf8898d80cfd6e433ce9b3c386ccc25e70a4a38a0b7612188175f6a7dc3e896451652cdd39bbb4e713499b73

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
991a4dd3c753b936e10304281ee49bf5

SHA1
58b8dd350bf17939bdb0fdbfb4bbab08e05e594b

SHA256
a1c6d4be27d749cabc940908282c720be65164e4b87d2902053fb028cebe5ea0

SHA512
92e979cd4c96493cb58a16218d76644283768d6f7ff790e457025f375fc4a1aa97c1b353ff42504cf6d16c331dc2a92d7f9b3fc365e4d94dfcaa0bb5c0a2c384

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
d5c48853e3ce900803e0fc968d0d1559

SHA1
d11e50354eb07f35c85eb866829de2e260c42786

SHA256
ecabd84b336203d57c2bf7873b32424ac8bc4bbd1b2dc1aa50bd9d6ddb6fdbe2

SHA512
ea90faab06fc6da03b5d05cb58c1c1509708a0719078ed791b90d7ebdd1110c65ccbc2af849119051af5e0ad0bac4c80975e17ce6a724720aa4afdc2bba5d3ae

Download Submit
memory/2136-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2136-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2368-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2368-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2368-16-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2368-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2548-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2688-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing