neconyd | c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071

General

Target

c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
Size

71KB
MD5

71bb744abacc0cc2d91122f40518e400
SHA1

2696b4941186d1311c3fbcd6e9c821bce6be5cbd
SHA256

c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071
SHA512

fd6043c84c4ea3d077f25cfc663cc0383bc526d4845ab251c803854ad9051db6d612d472a6d1fff667843627861d9e72648581eabbff962545ac4432ee1ea840
SSDEEP

1536:/d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:3dseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1748	omsecor.exe
2820	omsecor.exe
2976	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2536	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
2536	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
1748	omsecor.exe
1748	omsecor.exe
2820	omsecor.exe
2820	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1748	2536	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe	30
PID 2536 wrote to memory of 1748	2536	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe	30
PID 2536 wrote to memory of 1748	2536	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe	30
PID 2536 wrote to memory of 1748	2536	c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe	30
PID 1748 wrote to memory of 2820	1748	omsecor.exe	33
PID 1748 wrote to memory of 2820	1748	omsecor.exe	33
PID 1748 wrote to memory of 2820	1748	omsecor.exe	33
PID 1748 wrote to memory of 2820	1748	omsecor.exe	33
PID 2820 wrote to memory of 2976	2820	omsecor.exe	34
PID 2820 wrote to memory of 2976	2820	omsecor.exe	34
PID 2820 wrote to memory of 2976	2820	omsecor.exe	34
PID 2820 wrote to memory of 2976	2820	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe
"C:\Users\Admin\AppData\Local\Temp\c678da23b324957bcd52545e5a3eb80cdcc20bddfa0813ab5291c2fcfc654071N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
03cb7f6f015752357265d67fc886541b

SHA1
a3271d6c2551f5b556262002cc0d779974b54889

SHA256
0b40578b66ec87d50aefaebf463ea6f0b80ee7d83cfb145e5733a1fba0600dee

SHA512
067c76adca86db50ab4ec96545f58cf112d6ecb662ae3173ae50ec4038aa36dd4c8b1979233955951249111f846550e9d9ae54829c0b1a462ca1218698302075

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
43716656be78b43c454bf4853e7079eb

SHA1
4578766c817cf11d2ba9c2614bf5c08b5a8ff9e0

SHA256
84266add1ab8fd8a0b251e06c86e4f918143f65b339ef07084cfe214313a2c27

SHA512
cf0f7ea5a28958a2c57179b104cc525e3eb3f9396eb24c033b67555e92d1d565e41a4494a32e3184f6d663c10eed1aff402d11b7d88ac380d86ac58b76d3663f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
dcbd02018759431fee4ab459d83f6717

SHA1
41442f3f0c8bdf8b497f2d69af2bb7e4acc4c1ad

SHA256
daf0a38d55c38fb7e4ae5422ca8d5b82c4f7691865ec3e1fab5c10d7e4b2c98c

SHA512
200284ebef5037aeb3cd6ed2997a21212150fd6480b91b4f6f0f0c96dfc78de048db540527681ce40c055f67ccf991b3b125cc585c076046cca66075b131747d

Download Submit
memory/1748-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1748-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1748-16-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/1748-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2536-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2820-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2976-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2976-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing