neconyd | a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80

General

Target

a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
Size

96KB
MD5

787bb733bd65ffabe55a3153d1b58db4
SHA1

1e56f1a4108108dd57052ce04ac92e35056bd450
SHA256

a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80
SHA512

3e88d679b1c97d6b6a3fce946aaa603e3139af26975dd9416a8c7e5b3d2965472d67b31ac9ec65ea5c449621b02b4dd117aa45011220fe91d3b1b64ee2dbef1f
SSDEEP

1536:tnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:tGs8cd8eXlYairZYqMddH137

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2732	omsecor.exe
2376	omsecor.exe

Loads dropped DLL 3 IoCs

pid	Process
2616	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
2616	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
2732	omsecor.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 2616	1812	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	30
PID 2732 set thread context of 2376	2732	omsecor.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2616	1812	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	30
PID 1812 wrote to memory of 2616	1812	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	30
PID 1812 wrote to memory of 2616	1812	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	30
PID 1812 wrote to memory of 2616	1812	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	30
PID 1812 wrote to memory of 2616	1812	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	30
PID 1812 wrote to memory of 2616	1812	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	30
PID 2616 wrote to memory of 2732	2616	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	31
PID 2616 wrote to memory of 2732	2616	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	31
PID 2616 wrote to memory of 2732	2616	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	31
PID 2616 wrote to memory of 2732	2616	a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe	31
PID 2732 wrote to memory of 2376	2732	omsecor.exe	32
PID 2732 wrote to memory of 2376	2732	omsecor.exe	32
PID 2732 wrote to memory of 2376	2732	omsecor.exe	32
PID 2732 wrote to memory of 2376	2732	omsecor.exe	32
PID 2732 wrote to memory of 2376	2732	omsecor.exe	32
PID 2732 wrote to memory of 2376	2732	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
"C:\Users\Admin\AppData\Local\Temp\a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
  C:\Users\Admin\AppData\Local\Temp\a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
6775671efd0194f7d6e0c60745c5309c

SHA1
601c01db0abf8dfc7aeecf85e24d1b1e456e559b

SHA256
3f84a7c96fd7357f8936158ba90a1f275e8b645348b1d15ce7b9a20776531594

SHA512
661fd8fa51958b02b0d3fe43b29b12f059fa6741f21395d2750cf44ae6954ae61b7c93d0480eb29edad18423f5e3fc635a7dcfec2054013d74dacfc94ad0c52b

Download Submit
memory/1812-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1812-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2376-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2732-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing