neconyd | 240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70d

General

Target

240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe
Size

33KB
MD5

6b4a87610d7192ec35123b4f22ffa960
SHA1

2e82ed58a2647815bf7c347e428bfd39d75f3e82
SHA256

240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70d
SHA512

b7656415066d4bacfbc9c985330130ce7258b33dfb637f4e97c9d557d33ac3905e9bbaa180c92b03f23c00ef6b3a1155b5c2660aa7aee401ccf01db4c221467f
SSDEEP

768:jfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7DJ:jfVRztyHo8QNHTk0qE5fslvN/956qw

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2012	omsecor.exe
1492	omsecor.exe
1564	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3056	240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe
3056	240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe
2012	omsecor.exe
2012	omsecor.exe
1492	omsecor.exe
1492	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2012	3056	240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe	30
PID 3056 wrote to memory of 2012	3056	240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe	30
PID 3056 wrote to memory of 2012	3056	240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe	30
PID 3056 wrote to memory of 2012	3056	240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe	30
PID 2012 wrote to memory of 1492	2012	omsecor.exe	33
PID 2012 wrote to memory of 1492	2012	omsecor.exe	33
PID 2012 wrote to memory of 1492	2012	omsecor.exe	33
PID 2012 wrote to memory of 1492	2012	omsecor.exe	33
PID 1492 wrote to memory of 1564	1492	omsecor.exe	34
PID 1492 wrote to memory of 1564	1492	omsecor.exe	34
PID 1492 wrote to memory of 1564	1492	omsecor.exe	34
PID 1492 wrote to memory of 1564	1492	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe
"C:\Users\Admin\AppData\Local\Temp\240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
90c7fd5f1e2ac396dfd57f1d98bf9bf6

SHA1
407bf80c51b5e03816cc085739d12dcc58ec1feb

SHA256
821ae93fb9c0dfa68fb59e7d28c1bfadf4da3650a14876ff61b8125b781bdda4

SHA512
da456fe1fe51ce7c19a429fa0b85de82a364741cf7ddab29f73d8e29c2a6366111254057e4d2e30d58b0e8ebc2e0a92b041e4f3354dd770c3eb87bbd328f6bcf

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
a6fd68d59f3405fb54d619825b9ccda6

SHA1
06b89763bd13a5d4ba8267b487a1541ef2f26eb8

SHA256
4babfc0462a134f60b4f57604525af2012515c4c1be6e9dbb4b51a16cd1370d5

SHA512
76af982a5f56fc3e293250d8bcb42502d8939487935f8833c1705b251660cf8e0464052f89f163743f74f77c5388890a863b8c0267061aee395488844c151371

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
449970832ad8c542a6164b53d1a99507

SHA1
1dd83980e19a5df76f5e6ec13a256bb8287fcc12

SHA256
04d3cd4d851ee9066459066877f2d593e266cbfc59bcf0b09b46cdebb049ac0f

SHA512
bcff716e3f9186af62dbd6dae27f75e83c030b517b9894a95d9d08bb5f1898148163cf5dd1538e19db9e19b1244d9c370335a4653eaecb13862cae2cce07b69b

Download Submit
memory/1492-40-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1492-46-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1564-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1564-48-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-26-0x0000000000370000-0x000000000039A000-memory.dmp

Filesize
168KB

Download
memory/2012-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-33-0x0000000000370000-0x000000000039A000-memory.dmp

Filesize
168KB

Download
memory/2012-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3056-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3056-10-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/3056-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing