neconyd | 50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481a

General

Target

50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe
Size

92KB
MD5

98108b579aa9cb4b2ce50da34ddab740
SHA1

b340d2bbacd14cc02b54e47b44c5c99d34c84434
SHA256

50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481a
SHA512

906e30a5c96cc99d1e70a092c814f6a882ec80cd7dbea11874fdcdab182b59423dc21f3ea09c47ed54233b7f25feabdb8c4ffaa8bdfaff87fca12b711141c04b
SSDEEP

1536:Zd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5d:5dseIOyEZEyFjEOFqTiQm5l/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2092	omsecor.exe
1304	omsecor.exe
2856	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2720	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe
2720	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe
2092	omsecor.exe
2092	omsecor.exe
1304	omsecor.exe
1304	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2092	2720	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe	30
PID 2720 wrote to memory of 2092	2720	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe	30
PID 2720 wrote to memory of 2092	2720	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe	30
PID 2720 wrote to memory of 2092	2720	50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe	30
PID 2092 wrote to memory of 1304	2092	omsecor.exe	33
PID 2092 wrote to memory of 1304	2092	omsecor.exe	33
PID 2092 wrote to memory of 1304	2092	omsecor.exe	33
PID 2092 wrote to memory of 1304	2092	omsecor.exe	33
PID 1304 wrote to memory of 2856	1304	omsecor.exe	34
PID 1304 wrote to memory of 2856	1304	omsecor.exe	34
PID 1304 wrote to memory of 2856	1304	omsecor.exe	34
PID 1304 wrote to memory of 2856	1304	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe
"C:\Users\Admin\AppData\Local\Temp\50c8e53f499598b672dbae9eddfc6cd415d2dc4726500fe637007ab86f3a481aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
e8867b1826f19849aee119dfff01fd08

SHA1
492c1110321c3041fd57c70bd678b14caf7479c3

SHA256
4325795035004f5c12049cea790c39c922f0f84b7a3068d63e7b57ac349a5a4e

SHA512
350227516fa47b28aedcd7aadb26c8c792635f4a62c1fc21a92d8737dbf550d332554c59a374bd3cd72d288350a34e5dcd72e0df32489bbe7fe2d45ea0f1f1da

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
fd16a56cd443528faf2cbb354be7b93e

SHA1
a6718af27f0ef810cb64eb874a94d1d6a4fd1376

SHA256
0398d590683782e05862cfa1c235ad301f3d417c82da46a98e9a752450200c8a

SHA512
1f7c0e9745c41fe93b492895bffa3b9d8c49568a4888847279248b6013fa33975ee96a15dc03a8ff0d5a54664ceb7b7839c25242fd7306c223dba9c505889a52

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
536a65e5409ffa996859264f0ec52927

SHA1
7bd385223f5cff038871ad0dcfed76d0f0728ba5

SHA256
4546fbc50a0491c7c7c6a048696500e904fd5b52ae4115d1ef09feb8ee3253c2

SHA512
027b1a87a1bf6a36a9c09e4e4504d7c4dc68aa152edef0441b28497a23031a7f9f6158c43166d3d3bcc05066aca0593d329dac720aebb611e4bb7a50f0ae1fc6

Download Submit
memory/1304-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1304-30-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/2092-19-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download
memory/2092-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2092-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2092-24-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download
memory/2092-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2720-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2720-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2720-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2856-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing