neconyd | c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2ae

General

Target

c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe
Size

71KB
MD5

9ee6e6a3aee111dea260c4500c4c34f0
SHA1

00d961b5e29126a2dc0f3c10f4ba3416ad1746c0
SHA256

c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2ae
SHA512

ae100dd7fcb57213e95305884e8a687b6de5fd8cb16cd5ace748015c767f6027570dbd23a2486591af3b8ec91043b0c8fd9b1f48c4722f211f116403a9f229aa
SSDEEP

1536:xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHt:BdseIOMEZEyFjEOFqTiQmQDHIbHt

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2436	omsecor.exe
112	omsecor.exe
840	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2416	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe
2416	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe
2436	omsecor.exe
2436	omsecor.exe
112	omsecor.exe
112	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2436	2416	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe	28
PID 2416 wrote to memory of 2436	2416	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe	28
PID 2416 wrote to memory of 2436	2416	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe	28
PID 2416 wrote to memory of 2436	2416	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe	28
PID 2436 wrote to memory of 112	2436	omsecor.exe	32
PID 2436 wrote to memory of 112	2436	omsecor.exe	32
PID 2436 wrote to memory of 112	2436	omsecor.exe	32
PID 2436 wrote to memory of 112	2436	omsecor.exe	32
PID 112 wrote to memory of 840	112	omsecor.exe	33
PID 112 wrote to memory of 840	112	omsecor.exe	33
PID 112 wrote to memory of 840	112	omsecor.exe	33
PID 112 wrote to memory of 840	112	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe
"C:\Users\Admin\AppData\Local\Temp\c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
0442df80e72317c63122fef8b403891e

SHA1
78a4d777a90712067a785f8d51ed22f3617c51db

SHA256
14144c798c12f7987dd7195830d4ffcb9ad6d2e6788d1be5dcd221e92b423fc9

SHA512
371d07149ebc2d54b7827c0b426eef69a59457c11e2b18d73616e48640774ca5c1e9e23e5188a974f6a664c35b377b2281e8c89c823f92da61a1444a52e1abae

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
6cbe5e455b788ab53623058e85b6dcc2

SHA1
3bd8f3a2a5f6ccdd5fadb373054dd595d089cab4

SHA256
2f2f6bd40cc0e41dd0aed4a971e7a76bdd532e8a8e356fc2f8a3e3d8076b4146

SHA512
d39f3a4d717fdf51f43bc796bbee34b8e54be147a8a6bb164e94585f34cb3e7a000ff35b828514f4bc051642fd6b089c8438a026de3b0bbdcbd76d3ff5ee7039

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
6d1d4500802e3c6bf0ac97f30bd0e704

SHA1
b6378bf01923eb172226f4c58428b30b5a19554a

SHA256
b563cf7c1a5d5a3c86f00246d0049c29b0283e47419e45396795514d8851d70b

SHA512
b22f12c172d5ff8b9cbc640c9a7b7aab179fdcfdc7f60369fd75863bfffcade641e1c6847e66becdd11ff5507b355446d07a019b5cf5176ce675baafc4234442

Download Submit
memory/112-31-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/112-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/112-39-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/112-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/840-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2416-4-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download
memory/2416-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2416-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2436-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2436-22-0x0000000000290000-0x00000000002BB000-memory.dmp

Filesize
172KB

Download
memory/2436-23-0x0000000000290000-0x00000000002BB000-memory.dmp

Filesize
172KB

Download
memory/2436-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing