neconyd | 83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8

General

Target

83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe
Size

71KB
MD5

7e3b7e1fca898cc8eae52c97f52e28e0
SHA1

3bd3ef24fdef703122450397d7a385fdeee76b78
SHA256

83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8
SHA512

394d7b5612f6685ec7d75ae17657645187f5822f3f3c091566401cc8ce099830c86278c5e96f12fb13c0c9402568873e3b642dafe02555715ccc8a7e81e052f8
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:XdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3016	omsecor.exe
1864	omsecor.exe
2964	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2236	83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe
2236	83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe
3016	omsecor.exe
3016	omsecor.exe
1864	omsecor.exe
1864	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3016	2236	83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe	29
PID 2236 wrote to memory of 3016	2236	83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe	29
PID 2236 wrote to memory of 3016	2236	83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe	29
PID 2236 wrote to memory of 3016	2236	83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe	29
PID 3016 wrote to memory of 1864	3016	omsecor.exe	31
PID 3016 wrote to memory of 1864	3016	omsecor.exe	31
PID 3016 wrote to memory of 1864	3016	omsecor.exe	31
PID 3016 wrote to memory of 1864	3016	omsecor.exe	31
PID 1864 wrote to memory of 2964	1864	omsecor.exe	32
PID 1864 wrote to memory of 2964	1864	omsecor.exe	32
PID 1864 wrote to memory of 2964	1864	omsecor.exe	32
PID 1864 wrote to memory of 2964	1864	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe
"C:\Users\Admin\AppData\Local\Temp\83c09e8c0d8765cbd46b56b0047133ce8e2743dc909e8b31ea216653f5912dd8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
b18f23576c938ef8b35e485c390a7fce

SHA1
1d3ec612c7d5a63701c066df5165d3345967244e

SHA256
592328913048ca59b8a09a0440cac009771946de35a4266794d9e27243ae8163

SHA512
78a3c736deeea93e2c6b16a488c68c6b2ae3016212bb4c4fd09f94a66b659ca82995ed0e9245ceb81e6ec6fcccb8685e3b2a3d87708a976512653ba81c449053

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
76585528f23b5eda065da88299b6d9da

SHA1
bdc9359139a628a165226b0ad3a0f6d28ab1d6e5

SHA256
ef8183514f602a760e2af89982510bef33d84d9aea496572878891ffac4a1c70

SHA512
23198c8dbb01fad572e2415b6693aa7a83f775793fd7aa4dd4cc151241ba9f8c5691feb95e2a3991b55945fff3a4517c8883bfb871abf6a347e741e606d4cd88

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
9d6f12f0c22863bc3b63c70bcc301e4f

SHA1
844695a9574676fce4ba44c7811a29a318a7b82c

SHA256
bd88da7c21e214221dd2cb40f952acde5919d09ece3b5f7c518a2107085f5482

SHA512
58de5c95e7e6626682f89b53e8a96ee6ff36811ae3fe5c2726815e37145011678f3d6513097aee03ec2ebb669ef0e759bbaf63dc83177d9f1b074c3aa65de0e8

Download Submit
memory/1864-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1864-31-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2236-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2236-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-17-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/3016-23-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/3016-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing