neconyd | 781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbed

General

Target

781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
Size

65KB
MD5

21c540f78bdf821f2f1af733520c7ac0
SHA1

dad78580707815d02ef375d7e6645d13d388aaed
SHA256

781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbed
SHA512

dbcf9d5589010e6b9d7bfab28fcf4b4af413f6a31cd8e0e818751685cbd8e539b9eb9ea95df1e0052cd5e973cfaabfb33418b5b36393a51e2588ac347853b030
SSDEEP

1536:hd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:RdseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2524	omsecor.exe
2020	omsecor.exe
2452	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2492	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
2492	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
2524	omsecor.exe
2524	omsecor.exe
2020	omsecor.exe
2020	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2524	2492	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe	31
PID 2492 wrote to memory of 2524	2492	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe	31
PID 2492 wrote to memory of 2524	2492	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe	31
PID 2492 wrote to memory of 2524	2492	781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe	31
PID 2524 wrote to memory of 2020	2524	omsecor.exe	34
PID 2524 wrote to memory of 2020	2524	omsecor.exe	34
PID 2524 wrote to memory of 2020	2524	omsecor.exe	34
PID 2524 wrote to memory of 2020	2524	omsecor.exe	34
PID 2020 wrote to memory of 2452	2020	omsecor.exe	35
PID 2020 wrote to memory of 2452	2020	omsecor.exe	35
PID 2020 wrote to memory of 2452	2020	omsecor.exe	35
PID 2020 wrote to memory of 2452	2020	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
"C:\Users\Admin\AppData\Local\Temp\781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
aa2c86fd763014630a67ddf397818d45

SHA1
fa521f069005025be29a1fa8b2c73a4e23bf6731

SHA256
6184d19b82a55b330db3719e32bf6be063fc390078ea1d15a150d12c0571ba1d

SHA512
5a171ffdf77d089503d56fbe94c731d14cc6260cc7f60a23bebe4640f10c52c6c60acf572b1d5fb009ecdacfd9fb3df838a202b658c4865d94561e7dc4867919

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
38774e4d6c0db08725122be4fd407463

SHA1
9e8908bd43e73b1d0be87fcedd77e368d581cc11

SHA256
258fc8cf69a98d349712430d29b532f46898748419940acab9c6504fbfafe17c

SHA512
7d04cdf63e280a0d6f5c6843e4de1981bd537c4bcac246290ce8ba70ecb6b6e228ba03cb3f78b0f63ab7aa8cb016355f42612666415c7a9b74e879795f0d1be1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
b73483edd5abf43668042268ca357046

SHA1
38cdcad2a1326391fe3b7b5f3f39d615d30b7614

SHA256
3cecfee64dec375816a314d36058b0266f6758f03f18a042549780b1596ccac1

SHA512
bb98d26a5253148a240f6f818408f8b9847e453d0611f74566fe93e50c38f87fccf65fc77cd303f91ae73f38d2c5b2d6038f2a77d0a75dc93b3fe1ce0daae9cf

Download Submit
memory/2020-39-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2020-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-31-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2452-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2492-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2492-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2492-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-22-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2524-23-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2524-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing