neconyd | c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8

General

Target

c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe
Size

76KB
MD5

4d30c5bc4500c5f74c2a4886ba809b12
SHA1

d4c8acc8caccd6bb4336d203646085cbc29794bf
SHA256

c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8
SHA512

2fcc8a37ed1bbe8ccc81ed94ce4cc3e2b0c2206a0145db47cbb7edd0456f0c38cec025eb239bf80998a8af01d9b32617e64892dd2da60d71ec2a47a97e73bd1a
SSDEEP

1536:Dd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11f:jdseIOMEZEyFjEOFqaiQm5l/5w11f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2912	omsecor.exe
2312	omsecor.exe
1868	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2208	c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe
2208	c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe
2912	omsecor.exe
2912	omsecor.exe
2312	omsecor.exe
2312	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2912	2208	c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe	30
PID 2208 wrote to memory of 2912	2208	c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe	30
PID 2208 wrote to memory of 2912	2208	c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe	30
PID 2208 wrote to memory of 2912	2208	c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe	30
PID 2912 wrote to memory of 2312	2912	omsecor.exe	33
PID 2912 wrote to memory of 2312	2912	omsecor.exe	33
PID 2912 wrote to memory of 2312	2912	omsecor.exe	33
PID 2912 wrote to memory of 2312	2912	omsecor.exe	33
PID 2312 wrote to memory of 1868	2312	omsecor.exe	34
PID 2312 wrote to memory of 1868	2312	omsecor.exe	34
PID 2312 wrote to memory of 1868	2312	omsecor.exe	34
PID 2312 wrote to memory of 1868	2312	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe
"C:\Users\Admin\AppData\Local\Temp\c712a98a2856203c1a98e77ac667ff7badbdd9ffa595490512b8196b084689c8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
7bc211b46151025a4454e18b5a64535e

SHA1
532295e91edc31f9133db7891950def5db9b32d2

SHA256
fb521bf188bf7fb1632cc20f374823ad75353d961d02185eb28b476ec42253a2

SHA512
8c0138ccb2bdcbbe322cbf0d1924788ad5a4e8cfa1ad063ba35a4f7af85c6522a70f8cc51ca465ee12d354af9738a09c1254a7e8bccb30c84ed8ce7f11f30337

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
31f236fd26940fa7e2f6a00644f41dc3

SHA1
44399bf7ffd425251e0334895f168ed9b1c123f1

SHA256
a67e5b028b9b6f0e8021b7cb22fb4e2d35a8987aeab7b06bd754340074c9bf4d

SHA512
2128bd3f1698ff67f4afb5b9b468d3a1294e55067960dfcd2b5607a9f85098219b08ba17fd4cface9158b8dd80ac824bc87b2be29612e502a1e6bed7b198f0c4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
8943e25af270573823dba8e4d5a647ed

SHA1
94aba8cf56f0593705cfad24dd123413aa98ae7f

SHA256
84f7bdc05658267727d281ddba07d55f20d1a735db1e8107d2ab9a35eb3dade7

SHA512
9ecaee9d0a4dac0a1e14e00ca29f4d6c64a5e3a6179274bd481602ea878386dce4b5c166150a3e8c9be5d8d2652e94a3cf43913e3d6f0dcfbe092aba4fdfcdc7

Download Submit
memory/1868-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-3-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2312-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2312-30-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/2312-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-18-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2912-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing