neconyd | 43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03

General

Target

43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
Size

76KB
MD5

1076a4ca22700c9bd3071b3f5be10fca
SHA1

9f3ce9cf20ee6b47676cf2cdee7dbaffb2e41880
SHA256

43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03
SHA512

092873c0450e21eb8adc6f4d103dca5995e1f356baca69b8f1ee78c4c7695dcd21667b8a32f20bccf7d0041aabdd2569dfcd335a010af7fbbcfcf3bc667aff2a
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11V:kdseIOMEZEyFjEOFqaiQm5l/5w11V

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1668	omsecor.exe
2064	omsecor.exe
1676	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1056	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
1056	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
1668	omsecor.exe
1668	omsecor.exe
2064	omsecor.exe
2064	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1668	1056	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe	31
PID 1056 wrote to memory of 1668	1056	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe	31
PID 1056 wrote to memory of 1668	1056	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe	31
PID 1056 wrote to memory of 1668	1056	43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe	31
PID 1668 wrote to memory of 2064	1668	omsecor.exe	33
PID 1668 wrote to memory of 2064	1668	omsecor.exe	33
PID 1668 wrote to memory of 2064	1668	omsecor.exe	33
PID 1668 wrote to memory of 2064	1668	omsecor.exe	33
PID 2064 wrote to memory of 1676	2064	omsecor.exe	34
PID 2064 wrote to memory of 1676	2064	omsecor.exe	34
PID 2064 wrote to memory of 1676	2064	omsecor.exe	34
PID 2064 wrote to memory of 1676	2064	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe
"C:\Users\Admin\AppData\Local\Temp\43a9886d405b412a655ae67a43be2c566acfebd7c3da9710e812339f40fbcc03.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
813832ed98234dc5dc897d8c67b54771

SHA1
3af5098ef770ce3df082fdedd62f6bf235466963

SHA256
22dcdc423c734f3ea7a9c38b5c6301e0c63ba56ab41f79afd284a75b6dea39a3

SHA512
1e4dc7ee1506dfff1ebbdd50e7fed490ae5b9085ff34fc35d913fd04041996859527c37ada542192c6768821cd22b7300587ffd0d9f0a93ec6374be62bb26b0d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
6698cd666ef824ab7ba8e929315b3b4c

SHA1
8cbe3c347b28cd117ac5a20aa914796224736268

SHA256
cd6268a8b4178cc592abb5a4ab7a8aa97b26d32f4fe7476c9d9d964dfdcba9ab

SHA512
be3ee3129344b4d95e7a282ca1c5ab57007d07478a35b7b715049706bb69044770139dbe6cd2ecbdd33d9564767abb02f1aa1d71de8c903ac3d64077bdf7fa4f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
f70fb2b68500c2414c85b2598bbfdc46

SHA1
741657dea050306f32b96e12bc3668c15e9a4434

SHA256
852882a3cb356c2b7a71bda35e57fbc0f62248ca42f0ba7170f39c1a0bb88055

SHA512
7556d17f3d5d5795171bbb0faec6ab9872921aaf6dd30c54714e5183abaa046ea6cadb4f7c6fd08f7507832ea9cc51b317b50512275456374842050663ffe762

Download Submit
memory/1056-8-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1056-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-24-0x0000000001F30000-0x0000000001F5A000-memory.dmp

Filesize
168KB

Download
memory/1668-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-23-0x0000000001F30000-0x0000000001F5A000-memory.dmp

Filesize
168KB

Download
memory/1676-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1676-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2064-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2064-32-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing