neconyd | f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be

General

Target

f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe
Size

65KB
MD5

a92d13c049690b507dec08c60b31b63c
SHA1

3cfd1845b72a3f718f822c738f4f6d1f7d1a5e15
SHA256

f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be
SHA512

78028dd07b3cd83a7a53b14036afc544e377c625ea3cf1ee39e74101829c3c4d89a9a31ed1787fe975fda15f8f80cb85e52004558fa2144ffa0e0e24d8e793b9
SSDEEP

1536:Gd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzP:+dseIO+EZEyFjEOFqTiQmRHzP

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1184	omsecor.exe
3016	omsecor.exe
1240	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1972	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe
1972	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe
1184	omsecor.exe
1184	omsecor.exe
3016	omsecor.exe
3016	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1184	1972	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe	30
PID 1972 wrote to memory of 1184	1972	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe	30
PID 1972 wrote to memory of 1184	1972	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe	30
PID 1972 wrote to memory of 1184	1972	f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe	30
PID 1184 wrote to memory of 3016	1184	omsecor.exe	33
PID 1184 wrote to memory of 3016	1184	omsecor.exe	33
PID 1184 wrote to memory of 3016	1184	omsecor.exe	33
PID 1184 wrote to memory of 3016	1184	omsecor.exe	33
PID 3016 wrote to memory of 1240	3016	omsecor.exe	34
PID 3016 wrote to memory of 1240	3016	omsecor.exe	34
PID 3016 wrote to memory of 1240	3016	omsecor.exe	34
PID 3016 wrote to memory of 1240	3016	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe
"C:\Users\Admin\AppData\Local\Temp\f0d10b649cd5b1eeee89753aed209081a0d07bfa838d69b012d511fb660188be.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
d19b4b75a78f4cf59f8befa050be85b5

SHA1
bc40748f7f6c5be849e210beb0c515799096ece5

SHA256
08fee8c35b616190d57f9e0d271871c2f29ee53a41ae93fb2f4adb73234b3abc

SHA512
52ecff996c44f8bcf2d2d311b8df1e65fd82e98b0d9510e4115222444cffff504536d9eea14581e4b67782d7c05a4e8eaf4bd4dce42840c6cc5e148e116c886f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
41ee4f4a893c23faf161cbba1e38d723

SHA1
cb417f2a0a25e0c6bf897fc78066015130706ce1

SHA256
a322f58f8f904eeafcd8241875d32c8f9675e78671ec8c628ac58cd1d72f0502

SHA512
ece17113f251b0924afba4928dcbe875f6205abb08ab3673be5b6eef0514a71b2798933f8e9303b39bb31c7f5db5c9696599b7b8fa3734164522672d7bbdc6bd

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
828582e2770f831c75ad69e3058c1946

SHA1
9835899caad79116c81fc0561318e134b079160d

SHA256
b4c64f591ba5f1d3bb7683dd99018eaec599daf814bde46507bc8575b9f12931

SHA512
3b87159a10ce5bb1db3a211c508ab5b5a435f51cbffbd5f0560f75ef09d60abeb484cf877bf2e0a09cd6f82e7755f9754a14f389fdebeaf75273b70fc1c9c297

Download Submit
memory/1184-19-0x0000000000330000-0x000000000035A000-memory.dmp

Filesize
168KB

Download
memory/1184-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1184-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1184-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1240-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1240-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1972-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1972-13-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1972-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1972-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3016-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3016-32-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/3016-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing