neconyd | 3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3

General

Target

3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe
Size

90KB
MD5

bea6503488efd1cfc9f2318255e70b87
SHA1

91a18d94a1e46ddf1e351c34b8cddb52fe31fb7a
SHA256

3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3
SHA512

9841a51653c6730ba918f3d8094994c991b6e21e6c095d8f524890dac32190d745158cfd4ec1288e3f9e249a5b0203814c99e89114c071e9ecbf4401e0d8921c
SSDEEP

768:zMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAO:zbIvYvZEyFKF6N4aS5AQmZTl/5G

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2296	omsecor.exe
2956	omsecor.exe
2088	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1280	3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe
1280	3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe
2296	omsecor.exe
2296	omsecor.exe
2956	omsecor.exe
2956	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2296	1280	3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe	31
PID 1280 wrote to memory of 2296	1280	3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe	31
PID 1280 wrote to memory of 2296	1280	3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe	31
PID 1280 wrote to memory of 2296	1280	3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe	31
PID 2296 wrote to memory of 2956	2296	omsecor.exe	34
PID 2296 wrote to memory of 2956	2296	omsecor.exe	34
PID 2296 wrote to memory of 2956	2296	omsecor.exe	34
PID 2296 wrote to memory of 2956	2296	omsecor.exe	34
PID 2956 wrote to memory of 2088	2956	omsecor.exe	35
PID 2956 wrote to memory of 2088	2956	omsecor.exe	35
PID 2956 wrote to memory of 2088	2956	omsecor.exe	35
PID 2956 wrote to memory of 2088	2956	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe
"C:\Users\Admin\AppData\Local\Temp\3ff2f5de3a8b59b3da294f20769a573708f927230f15a9e0f1273c51d851a9f3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
510732a371f37de7771ae954f19b4b6f

SHA1
6bdd2f29646abc8404d7a9f1d591db3f73eac8a5

SHA256
01d57407520ce9b754b6279b065bbb7a5d48d9b2c9ba431869693fdd9514b1c1

SHA512
e4218c3c4e6483988ef2cf54173b28ffaad1bc77f1972dd91731bd08f74cffc412a555cc5a7a8078cea816cd2f2aadfc90e3db67d08cbc4f07df745ffa9b2708

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
08820a1706cb23d92fcf11792e21f2cf

SHA1
0596f70b2903cb62e1743bad0268596b6655eeb7

SHA256
a32c8c5ef136f3eb6f7c0d70888a18f06eae63813e58cde45ba3ea0d58fbe048

SHA512
cff533f77722f9678b996f466823dfb7c6c7cc458270933b9ad38d00bc396d93b72543285e4ef16d798c91a89a365c13401e9de4a6d6d8f07a9f6b69f69b3e5f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
b53cc59669c5e4feebec19a7260d58b0

SHA1
b68467287eadb7718d953da521176ca2a02cc8a9

SHA256
fc2c72931e547b12527fb47d0825f7c43429778e1c66866a46bcd4818162dd54

SHA512
07eac432e0d417b2535abef5930aaa83d06131311eda28afe61ab281971cec2f0aca354418f04eadbd12cc014787ceb544e846af6de1e9d388682bd39d768437

Download Submit
memory/1280-3-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1280-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1280-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2088-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2296-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2296-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2296-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-30-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing