neconyd | 4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62

General

Target

4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
Size

96KB
MD5

723b432ff0012815d934e96ac5aa1160
SHA1

9cd5f7e42aa96445e3919cc95d2dbe917624955b
SHA256

4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62
SHA512

537f668f04c4e696df8e5608d6156b5b6f2ec595b89b34df394d60943c49c6291bf2a03c39c9f8e965a7c0a4ac6cb7f18d817df0fd4b3af3657a5dc1222c7507
SSDEEP

1536:TnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:TGs8cd8eXlYairZYqMddH13z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1604	omsecor.exe
1004	omsecor.exe
2248	omsecor.exe
1972	omsecor.exe
4424	omsecor.exe
944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 1396	2852	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	83
PID 1604 set thread context of 1004	1604	omsecor.exe	88
PID 2248 set thread context of 1972	2248	omsecor.exe	101

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3112	2852	WerFault.exe	82
1552	1604	WerFault.exe	85
4504	2248	WerFault.exe	100
4656	4424	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1396	2852	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	83
PID 2852 wrote to memory of 1396	2852	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	83
PID 2852 wrote to memory of 1396	2852	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	83
PID 2852 wrote to memory of 1396	2852	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	83
PID 2852 wrote to memory of 1396	2852	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	83
PID 1396 wrote to memory of 1604	1396	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	85
PID 1396 wrote to memory of 1604	1396	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	85
PID 1396 wrote to memory of 1604	1396	4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe	85
PID 1604 wrote to memory of 1004	1604	omsecor.exe	88
PID 1604 wrote to memory of 1004	1604	omsecor.exe	88
PID 1604 wrote to memory of 1004	1604	omsecor.exe	88
PID 1604 wrote to memory of 1004	1604	omsecor.exe	88
PID 1604 wrote to memory of 1004	1604	omsecor.exe	88
PID 1004 wrote to memory of 2248	1004	omsecor.exe	100
PID 1004 wrote to memory of 2248	1004	omsecor.exe	100
PID 1004 wrote to memory of 2248	1004	omsecor.exe	100
PID 2248 wrote to memory of 1972	2248	omsecor.exe	101
PID 2248 wrote to memory of 1972	2248	omsecor.exe	101
PID 2248 wrote to memory of 1972	2248	omsecor.exe	101
PID 2248 wrote to memory of 1972	2248	omsecor.exe	101
PID 2248 wrote to memory of 1972	2248	omsecor.exe	101
PID 1972 wrote to memory of 4424	1972	omsecor.exe	103
PID 1972 wrote to memory of 4424	1972	omsecor.exe	103
PID 1972 wrote to memory of 4424	1972	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
"C:\Users\Admin\AppData\Local\Temp\4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
  C:\Users\Admin\AppData\Local\Temp\4c2e4235cab174859f126a8a623841fa6648e20d71da9519a6cfde0df3d32c62N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 268
        8⤵
        Program crash
        
        PID:4656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 292
        6⤵
        Program crash
        
        PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 300
      4⤵
      Program crash
      PID:1552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 288
  2⤵
  - Program crash
  PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2852 -ip 2852
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1604 -ip 1604
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2248 -ip 2248
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4424 -ip 4424
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
27377b63efc938746424400dd26f6736

SHA1
30dfaeb6f1ac664e17e9c11844c071eec3735bea

SHA256
83d45a450ec80634e26e439e69745be392a44b6d0e2503786441143131f46052

SHA512
c922a0a1b843f3cd0a4086fc4a3342f5a5c1cdd801bcfc1747e165fc134e4cbcef3cdbba5a950ec8ff98194097c6c567871d2bd21d9ac1d4c17f7b99e0099c7d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8a00432a1f8eb7785d4a5579b92f9085

SHA1
7bcb0e8d4a5392cfc4c685e7e2dc2a80ee79bf52

SHA256
3b89bcb3175a83b5095c13993cfda156dfa786ece2a1e6c6e90502541d9bde8f

SHA512
ff7a6f70d09fd4b024b34ace1c53e017cebf4b6f52b8bf199e1975d9e8b02af745e8349223aa141ff29d74f814672e4bb310c00da58e265f8516146606600fc5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
5e685060c972e3a49d6b5f0e4188f34b

SHA1
1cee76d0e7d575062a96f911cfa9dd707e747eaa

SHA256
7074086a6ed9f8e9cebc0c9b030e4cd80a27ccb311708d2c87fcacf3bbcd9596

SHA512
94e7c98ef10c1a46633d4a7d4f9904e4cd51f099b55348e0a364bcfaaf194d31868f196813bf42dc7234524933b214293ffb985ec62bdc12045fd3830f70fb75

Download Submit
memory/944-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/944-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1004-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1604-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1972-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2248-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2248-49-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4424-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing