neconyd | 4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820

General

Target

4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
Size

65KB
MD5

e61c59c5b1a01e9e2a31877ed0d17600
SHA1

c8058a611ae1788aa0bbb8ff1559bc3b58b350a7
SHA256

4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820
SHA512

eadc80af64e8ea5220b76be7e2e99ac15797c009c0878c64959b60ed415e892671122b4c1a101d695b4c776a117cc2997a57b06304b949eb3d4c02408395f8b0
SSDEEP

1536:Gd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:+dseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1824	omsecor.exe
2524	omsecor.exe
872	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3052	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
3052	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
1824	omsecor.exe
1824	omsecor.exe
2524	omsecor.exe
2524	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1824	3052	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe	30
PID 3052 wrote to memory of 1824	3052	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe	30
PID 3052 wrote to memory of 1824	3052	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe	30
PID 3052 wrote to memory of 1824	3052	4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe	30
PID 1824 wrote to memory of 2524	1824	omsecor.exe	33
PID 1824 wrote to memory of 2524	1824	omsecor.exe	33
PID 1824 wrote to memory of 2524	1824	omsecor.exe	33
PID 1824 wrote to memory of 2524	1824	omsecor.exe	33
PID 2524 wrote to memory of 872	2524	omsecor.exe	34
PID 2524 wrote to memory of 872	2524	omsecor.exe	34
PID 2524 wrote to memory of 872	2524	omsecor.exe	34
PID 2524 wrote to memory of 872	2524	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe
"C:\Users\Admin\AppData\Local\Temp\4dc3eab91ad53aa5827622588e38d6b100a31ad8a342eddc5548769174677820N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
e66166e6715e0b25409501a4a79fb9fe

SHA1
748b5630da2fc1b85bc8333807d431a37a814695

SHA256
c9731ed55fd8f2d6402dc686301eb46787648a1dbbc0be8b519dc08d43597481

SHA512
b3c13823e6e99a5d393d3e6fc886babc49340ce64b6a39e41ebb6c01eb1409e1d0328f90c64edfcace4e3f2f321a6fa8eff16dcf5b17129acbf4a31201bf9b18

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
1e84a6e10f2eed342b1e56e1822fb3a7

SHA1
70f9247a0d69dff58d58fd34ee042e8bcf97f661

SHA256
aadbf4a32530e19514963b21ea873d660683e05861b975cc997b40d5b5da223e

SHA512
cdbc37ee0e79cc580db2ba3d35c9740e99336d81001ca0fb04606db409a23de103e34b86bd58060b546c36611de97e68325fe23590bafaff0519ae3fb1c35610

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
0c83c0f52d29b7f55388639e419887d4

SHA1
ef4902ed18a81b9a62e9379b8c98596ba16bb9f5

SHA256
79e795096108dd4a86b357bbba338a75ba6a8796ba497806ead70c42208b71f8

SHA512
3dea41401ff85acfc36c247683bc413531da9129378782ae4fb13212741a1299d8a8785dfe7d8e0acf3b10df6e559f75a39c523866a00be4c6a600c287a198df

Download Submit
memory/872-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/872-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1824-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1824-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1824-18-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/1824-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-36-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2524-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-34-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/3052-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3052-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3052-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing