neconyd | c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571d

General

Target

c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
Size

65KB
MD5

d5d05acd29a4225bffef36e3d6fb1ee0
SHA1

007d469de21c5a9015762614677e2c8c6893c25b
SHA256

c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571d
SHA512

f02c620fc9b61d9f503c0bc269c9e2e6d0dfa1bb7436be697a4b0cf0a9df8c824a5afab16deeeb1c623c6c40878ebd8bc90ba81b32855d15cd791233b291293a
SSDEEP

1536:4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:IdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2824	omsecor.exe
2944	omsecor.exe
2912	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2728	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
2728	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
2824	omsecor.exe
2824	omsecor.exe
2944	omsecor.exe
2944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2824	2728	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe	30
PID 2728 wrote to memory of 2824	2728	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe	30
PID 2728 wrote to memory of 2824	2728	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe	30
PID 2728 wrote to memory of 2824	2728	c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe	30
PID 2824 wrote to memory of 2944	2824	omsecor.exe	33
PID 2824 wrote to memory of 2944	2824	omsecor.exe	33
PID 2824 wrote to memory of 2944	2824	omsecor.exe	33
PID 2824 wrote to memory of 2944	2824	omsecor.exe	33
PID 2944 wrote to memory of 2912	2944	omsecor.exe	34
PID 2944 wrote to memory of 2912	2944	omsecor.exe	34
PID 2944 wrote to memory of 2912	2944	omsecor.exe	34
PID 2944 wrote to memory of 2912	2944	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe
"C:\Users\Admin\AppData\Local\Temp\c9daffc80f0a80703777f17aab9cad483444c74141dafada042d48fe1a27571dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
35004040aa1834520e0517eec19d1afb

SHA1
d8f2fa63517fd03b80a095a059dcdd5c3dc4272e

SHA256
ab5b15e853e6e20c2a6bed85481cd5f38f2260ab2c18f3d347f86dfb1ccaf8b7

SHA512
be122f405a05a06a1b1d442bf1c26ad3d94a164027d219bb551805a0d093f4095caa7a9f36cf2be4c54100559c38c88be47b00f39efa185a693bf9d45d4e583b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
a5e4310328f40061fcd2732719c1ac28

SHA1
c1ce29846bc138f768793aaa80c6d77bf03cf558

SHA256
8c94e542b7fd1661c46ebe59f578270d4497344fc079e154c76f94874714cc4b

SHA512
f35998edc40d3a14218be72c19ffe9c59fa14b9d6eda94772051d08c0ea7e0775bba8041a5f4a437011500aa49b6ffd9570d8399a26a16826b9387f1e2b5bb80

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
a7c6ad6ce6a7148a10caceeb9d5f9107

SHA1
21e7d76e388c9f0d7b48cdd49f207aebd2e3b745

SHA256
6066a0d68ae238d4e61fcc8a432e1aac8749150e71427a2723c0ed71db15d78a

SHA512
8a2a9ad60c6cf6960e48da631dee79e0d95d94b63d1c7bed158652babb8c8a35e5af24a6f4dc6aae926871d40bddc35ef923f057094672f7d9c668b349cabeb5

Download Submit
memory/2728-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2728-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2728-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2728-8-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2824-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-20-0x0000000000790000-0x00000000007BA000-memory.dmp

Filesize
168KB

Download
memory/2824-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-25-0x0000000000790000-0x00000000007BA000-memory.dmp

Filesize
168KB

Download
memory/2824-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2944-32-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/2944-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing