neconyd | 44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525

General

Target

44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe
Size

76KB
MD5

adda95e62c0ccaf958a55be967a4464e
SHA1

bd9d2732e8f6ab7bd77b45a177f9c9bf35e10755
SHA256

44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525
SHA512

fe3adaf4c5bc70b57ebaf464c29d2674031c0e46e793904d0c857d1b27e55698de63434d9407c29f68559172f1a246bd8e54f4b40653afb5cc6cd50ffde84124
SSDEEP

1536:vd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11F:HdseIOMEZEyFjEOFqaiQm5l/5w11F

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1896	omsecor.exe
1892	omsecor.exe
2512	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2172	44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe
2172	44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe
1896	omsecor.exe
1896	omsecor.exe
1892	omsecor.exe
1892	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1896	2172	44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe	30
PID 2172 wrote to memory of 1896	2172	44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe	30
PID 2172 wrote to memory of 1896	2172	44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe	30
PID 2172 wrote to memory of 1896	2172	44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe	30
PID 1896 wrote to memory of 1892	1896	omsecor.exe	33
PID 1896 wrote to memory of 1892	1896	omsecor.exe	33
PID 1896 wrote to memory of 1892	1896	omsecor.exe	33
PID 1896 wrote to memory of 1892	1896	omsecor.exe	33
PID 1892 wrote to memory of 2512	1892	omsecor.exe	34
PID 1892 wrote to memory of 2512	1892	omsecor.exe	34
PID 1892 wrote to memory of 2512	1892	omsecor.exe	34
PID 1892 wrote to memory of 2512	1892	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe
"C:\Users\Admin\AppData\Local\Temp\44b82d665af546887fb1dfb1854d3790fde12aeba5f15e7ed032a9c4bc551525.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
d81b119049436743ae7dc2cc89d0c3f9

SHA1
7d180d63ed5a6dc704635fa585de90a44c1947c6

SHA256
191bd1504f7dd8bda6826c2d2dffb353ce1e86f27ca13ec5522f1a502241c467

SHA512
729b06537763a1f3035cea2e1375ab62af2f9e75357b9b650731f27c1acdb121d5a05f781848938801e5103780b499ee9dff9c2cfc44a17b504cba67ba7ef9f3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
2c3fbcf7554f9f9155bd8faf16b32fae

SHA1
0b061202cd08ec53ffc0f9cc8ce960b2ec7d0f8d

SHA256
172bb704b779a4449ec6ffcb3cee1d18deae9144ba0df5f1a9654cc849f95947

SHA512
12ecaa1173148d90f839c494dc8431cd2050e5924ea85d9a8fdff50ed9d07b9b87801668ffd5126bca6a32a1131fa4c49b39574511d0e512ff5564e0edd396e1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
c6f50768b63779225a6760bc7e8fa5ec

SHA1
02fa142efe12992f6d356a70bcaad2cba1ab2f2a

SHA256
5ca814c64c3282c87e0f173e2a820e2d94e1ab14488deedc13649761d7c7669c

SHA512
b38b341e9b3799e84d5decda857235887530f372c239a8232263811bd69275839fe719f7b3f4329d09c78acd7f546f0f793810ca1fa9d8d842f50073886b459e

Download Submit
memory/1892-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1896-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1896-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1896-16-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1896-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2172-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2512-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2512-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing