neconyd | d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca

General

Target

d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe
Size

92KB
MD5

c006e954c7a00abde36d8db5c6bc4e58
SHA1

3a5b14685fd8b83badb72ecd8d12cd62df47f7fc
SHA256

d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca
SHA512

06417f73995a16607295a6902717085284fb877442fbbd6e81cea29bbf7846f06f89bedc9942d9ede3f1d121abe321de90e76b6e8764e50fc8324ce89fa96821
SSDEEP

1536:Zd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5/:5dseIOyEZEyFjEOFqTiQm5l/5/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2996	omsecor.exe
2140	omsecor.exe
2924	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3052	d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe
3052	d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe
2996	omsecor.exe
2996	omsecor.exe
2140	omsecor.exe
2140	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2996	3052	d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe	30
PID 3052 wrote to memory of 2996	3052	d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe	30
PID 3052 wrote to memory of 2996	3052	d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe	30
PID 3052 wrote to memory of 2996	3052	d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe	30
PID 2996 wrote to memory of 2140	2996	omsecor.exe	33
PID 2996 wrote to memory of 2140	2996	omsecor.exe	33
PID 2996 wrote to memory of 2140	2996	omsecor.exe	33
PID 2996 wrote to memory of 2140	2996	omsecor.exe	33
PID 2140 wrote to memory of 2924	2140	omsecor.exe	34
PID 2140 wrote to memory of 2924	2140	omsecor.exe	34
PID 2140 wrote to memory of 2924	2140	omsecor.exe	34
PID 2140 wrote to memory of 2924	2140	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe
"C:\Users\Admin\AppData\Local\Temp\d8399b54b1c5a979a128bbe213164214ef2955f7c093105f9974cdaa69481eca.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
2f6d9bbc2248f64236f08f2a4c777fc4

SHA1
b6efe23c2f4019f7e207b8da239dff395d8d47c7

SHA256
1aeb614fd1afc03fcf62e5103f693cbd781c733605f984e66918f32dcc52d730

SHA512
ef1dc6a9dabf42adf52caa142e36d3372ebb089ce1745d9f34181827aaaa6c99004ebbdc3ef2a98bb7e6af9b7828d604b353690ae8706f8e399ba8eec357abf3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
0cc25af18d51b9ab02effe90e07d6813

SHA1
5c4eadda9d331e6bcedf4e59f670265476b78dc4

SHA256
05ac76307d6273563734739c377e63f8b7cd7785645387d9b5948323b3f3f9be

SHA512
ac398699cae1eba6f2b20d811efb22302fc1d1415ce7aa28be66e67ddb6a8e775b9260177aa092303072c5b3deeee1d457557efe8bb41a193c0673d7c8a645f1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
7121790bcc98ef4bacb47f62e52de509

SHA1
15fbcd8cce756fddb14e2a8aed7272397d7e44ba

SHA256
67954899ca013bf049fc7cee462ba2302d197bcb1a24f8faeb38e65a33fffcba

SHA512
4f7cc0c90f4a79f08c63553a0f082ee0f683ae09d664e9e28379bc52d89c03281668de9e041c1f2d12742728430735282045d4edd973b682e8af7a3d4e295684

Download Submit
memory/2140-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2140-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2140-32-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2924-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-24-0x0000000001F90000-0x0000000001FBB000-memory.dmp

Filesize
172KB

Download
memory/2996-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-23-0x0000000001F90000-0x0000000001FBB000-memory.dmp

Filesize
172KB

Download
memory/2996-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3052-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3052-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3052-4-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing