neconyd | 969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89

General

Target

969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe
Size

71KB
MD5

dc8dfbc3f298dc544328b84582b162ac
SHA1

f1e12fd2b377fea6bbeffe5e9124ed4f433ea8c6
SHA256

969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89
SHA512

e507027f461941fe6b38b865cbe4c1e6504492f5283de9c0845e7a87e4b9c753790e107aa77282a2a5aa08bd1d7abb5c3dfe978a8ba7b847e067e4e36ff50911
SSDEEP

1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHH:bdseIOMEZEyFjEOFqTiQmQDHIbHH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2524	omsecor.exe
2020	omsecor.exe
620	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2492	969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe
2492	969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe
2524	omsecor.exe
2524	omsecor.exe
2020	omsecor.exe
2020	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2524	2492	969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe	31
PID 2492 wrote to memory of 2524	2492	969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe	31
PID 2492 wrote to memory of 2524	2492	969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe	31
PID 2492 wrote to memory of 2524	2492	969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe	31
PID 2524 wrote to memory of 2020	2524	omsecor.exe	34
PID 2524 wrote to memory of 2020	2524	omsecor.exe	34
PID 2524 wrote to memory of 2020	2524	omsecor.exe	34
PID 2524 wrote to memory of 2020	2524	omsecor.exe	34
PID 2020 wrote to memory of 620	2020	omsecor.exe	35
PID 2020 wrote to memory of 620	2020	omsecor.exe	35
PID 2020 wrote to memory of 620	2020	omsecor.exe	35
PID 2020 wrote to memory of 620	2020	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe
"C:\Users\Admin\AppData\Local\Temp\969f1f47607318556206ba2fe8d18ca3e2554181a6e29473c2b8f02a2e73ea89.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
97101c8c87846fbd4ed5f7b918e6eedd

SHA1
9bb182866faf0606b281b96403f412d0a27fb200

SHA256
16877a02ef9dca6518dbcd57a839a1c2fa04d322a97ca4c93728bdf04a5eb9ee

SHA512
5de18671f970dd94e880a59847f42d4e9458135ae4751a28a9c503a8a2b8b35e89a25e1900d6489500ae8ea5f874a75fdf7b26d7445175909c4d6d43e3bd9b5c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
4736aaa2512857d60a742896e9a64f6b

SHA1
bb435f8e2e2f91dfc8dd97d81a6e48507a64331e

SHA256
42bce290b528c442b306fba600ee615299190c8ccef311a97735ec3afbb0f5cb

SHA512
f2b517c1f4eaf78252e6218580a78abca974dd55bd7bced82ba2f12285ac5dc770a1ee2826ffd2d83aa6f403b3405418e4fe834fac9bf43d04e5a8d640a438c5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
e142ffa4e75688da63f2169ecb7d4b58

SHA1
9d1edc6f34d76014b897f19bca8d36fae6763931

SHA256
e74d81599b5f6d84e5b9af5d435f895f96eb7529d81cdbec2866f3c7a45692ec

SHA512
5eeb732d6db0fb430975dae9c0562d67d774237649dd6cc11a87ff8fd4b93c3d6cd3cefdbee333aeb8695da742c0f32fabe79c2b420b5228ec6120501ee5a3ed

Download Submit
memory/620-41-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/620-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2020-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2020-32-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2020-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2492-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2492-8-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2492-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2492-9-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2524-24-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2524-23-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2524-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2524-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing