neconyd | 342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b

General

Target

342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe
Size

33KB
MD5

36528821f7d49632583ab92778155077
SHA1

1fdc2cdb988e8468309ba684cc6471bb183c6bec
SHA256

342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b
SHA512

a0d9e713159a6ce43a9e16f0fa325811596a6adb972b93687ab0bd99c0a79180d92c1360abae23c78e9a362444a87de7799cf23a214a6ad1b1fbb1a8b456ed6e
SSDEEP

768:jfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7Dr:jfVRztyHo8QNHTk0qE5fslvN/956qA

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2212	omsecor.exe
1620	omsecor.exe
284	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2236	342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe
2236	342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe
2212	omsecor.exe
2212	omsecor.exe
1620	omsecor.exe
1620	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2212	2236	342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe	30
PID 2236 wrote to memory of 2212	2236	342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe	30
PID 2236 wrote to memory of 2212	2236	342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe	30
PID 2236 wrote to memory of 2212	2236	342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe	30
PID 2212 wrote to memory of 1620	2212	omsecor.exe	33
PID 2212 wrote to memory of 1620	2212	omsecor.exe	33
PID 2212 wrote to memory of 1620	2212	omsecor.exe	33
PID 2212 wrote to memory of 1620	2212	omsecor.exe	33
PID 1620 wrote to memory of 284	1620	omsecor.exe	34
PID 1620 wrote to memory of 284	1620	omsecor.exe	34
PID 1620 wrote to memory of 284	1620	omsecor.exe	34
PID 1620 wrote to memory of 284	1620	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe
"C:\Users\Admin\AppData\Local\Temp\342ce72dae7f771762f11bbf10de036d957a8a7e43558e0a14e032b1cf63095b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
9faef70f1cbaa189e1e3f2af31378c54

SHA1
979102cb8d78b5ee6c9c0e2794170f0b786603f5

SHA256
9d5263bf5f63747746936b96c3ce1076fed0f95ae14633031a39c31ce9a10faf

SHA512
e6f03f44f99b127178f89dda950b9bc9f74452fb6b947376054a710165225d64873381c2d29059c6e025fee5515732eab11574c8aecd86603c07ee28399e32af

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
5fa6cf44c45fb85e4743112754d5cab4

SHA1
8efa3843cf82cfe6dba62bfb44c68a05a6b79591

SHA256
cd05d46141c90e5b02069a209c0d5fe20af43ae898fcd0ff1590c97ef2b39370

SHA512
21a3d91e1ae631a4b7d868d7812e9ef5a7d7f2be141a26c9411efa8922f4da8ca98a2005a57ca75eb0411d65e2cc5d63dc56f55a3acc1e277522894d586e76b5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
cbfd0a2d4fba9e4605c4cded26e7585d

SHA1
5a10ebca701ad0f3f20c4347c50a7e7f9d071090

SHA256
6020bb528ca953fe45c9a91b3724031efc2afe6e888e7860ea014dd59924e8dc

SHA512
d92cc86d8e3a15f854d8d54a1e7c6559baea36886f30fd8b010107364b40a4a1f655b4b24ea9126653ac16bc267373d32491064e58c736dd44f7c53cb30015ff

Download Submit
memory/284-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-45-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1620-46-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-39-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2212-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-27-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/2212-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-49-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/2212-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2236-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2236-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing