neconyd | 3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60a

General

Target

3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
Size

76KB
MD5

bedb4810e0fdcac907fc66cdd659ab40
SHA1

e14e0d31be41d8c5436d4f1fe1030534d65e1b53
SHA256

3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60a
SHA512

c4c791fe7139920df90a9c22b0651d35bc80e0f2829df083f366a9337ec8b2fc706e4fa15955b8b41a54a9aaeb85a61da01ffb6fb59792a496005dda3c917e68
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11T:XdseIOMEZEyFjEOFqaiQm5l/5w11T

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2904	omsecor.exe
712	omsecor.exe
1444	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2808	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
2808	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
2904	omsecor.exe
2904	omsecor.exe
712	omsecor.exe
712	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2904	2808	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe	30
PID 2808 wrote to memory of 2904	2808	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe	30
PID 2808 wrote to memory of 2904	2808	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe	30
PID 2808 wrote to memory of 2904	2808	3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe	30
PID 2904 wrote to memory of 712	2904	omsecor.exe	33
PID 2904 wrote to memory of 712	2904	omsecor.exe	33
PID 2904 wrote to memory of 712	2904	omsecor.exe	33
PID 2904 wrote to memory of 712	2904	omsecor.exe	33
PID 712 wrote to memory of 1444	712	omsecor.exe	34
PID 712 wrote to memory of 1444	712	omsecor.exe	34
PID 712 wrote to memory of 1444	712	omsecor.exe	34
PID 712 wrote to memory of 1444	712	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe
"C:\Users\Admin\AppData\Local\Temp\3c50148385e01f5bec2879086d969fb93a76f2f4a4fb678b55cae6c38efdd60aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
402e67f3b5e8009ecfd54bb3f3ffda2f

SHA1
d5aaf50c059edde3b959492308c6c58fde28f9c9

SHA256
22b915b62a07e2f53f32b89c489ff030d68e582acaf09da6bc5c0711942507bd

SHA512
3cb5f53c8f8eb2ce9e53fc150703c39b80801d39125db334b8d0fa4bd56cdc999b6b86f2aaa2949e04072e4cd402f0fdbc8e2b0ad2a56f8fcea61bb3fa49de4f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
ee6934bc8b5ee37994a2025019f4f1a9

SHA1
78289cf265104fe91fc0a3da17a211eb5ec93131

SHA256
f379d4cc7dda3204870d02b853cc7796f66a0634637f2fd8bff32b2a95922bd9

SHA512
46796532eacaae638c4fc4219b20a01e5fa5622b3817b3fcf898fa6277ccc0f74133582582cd8bc1e8f552576909158c88e18e03748447c425167446b79a63d9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
c56376d8169ce8865e957efa3fd15cdc

SHA1
ce323189bde7de626bc1955970f2d0df21e6a835

SHA256
50f6b34e2cc627705f7e23135df6cd7ea6206f0e90f38190c3f8ac19bd1a20fa

SHA512
07dbeccb5f6acaeb7b80a4406e26e1e3afb665042a89360b4e3d923fbc0706423f4009f6f7d01275d2f4b53bddf7c4c871741537b6efde5270996f7fed0b4a89

Download Submit
memory/712-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/712-32-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1444-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2808-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2808-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2808-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2808-8-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2904-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-26-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/2904-20-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/2904-40-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/2904-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing