neconyd | a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868

General

Target

a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe
Size

96KB
MD5

90b637875a749ac270736af19984375b
SHA1

11b094408ee9254e527e8a778e3e384d3ac12ec7
SHA256

a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868
SHA512

44b0535f2118b0f1b0d91809e557ad01cadbdf1917e34f39b13542375f7b3132e5da8d88b63c833aeada839670db5871219b0cafcbf6a9f41ae1e86c3c70e603
SSDEEP

1536:SnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:SGs8cd8eXlYairZYqMddH13R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2956	omsecor.exe
2424	omsecor.exe

Loads dropped DLL 3 IoCs

pid	Process
1840	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe
1840	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe
2956	omsecor.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 1840	2164	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	31
PID 2956 set thread context of 2424	2956	omsecor.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1840	2164	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	31
PID 2164 wrote to memory of 1840	2164	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	31
PID 2164 wrote to memory of 1840	2164	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	31
PID 2164 wrote to memory of 1840	2164	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	31
PID 2164 wrote to memory of 1840	2164	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	31
PID 2164 wrote to memory of 1840	2164	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	31
PID 1840 wrote to memory of 2956	1840	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	32
PID 1840 wrote to memory of 2956	1840	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	32
PID 1840 wrote to memory of 2956	1840	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	32
PID 1840 wrote to memory of 2956	1840	a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe	32
PID 2956 wrote to memory of 2424	2956	omsecor.exe	33
PID 2956 wrote to memory of 2424	2956	omsecor.exe	33
PID 2956 wrote to memory of 2424	2956	omsecor.exe	33
PID 2956 wrote to memory of 2424	2956	omsecor.exe	33
PID 2956 wrote to memory of 2424	2956	omsecor.exe	33
PID 2956 wrote to memory of 2424	2956	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe
"C:\Users\Admin\AppData\Local\Temp\a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe
  C:\Users\Admin\AppData\Local\Temp\a5f9a9723f445f7ecff9e5756004a81c8d7c35370fc1b721ac6285c7f4010868.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
1cfb5724675edaa889804a56e1754dc6

SHA1
4cfefd037e825e9b9e35f5728043b3d2095b03f2

SHA256
a9a1f3fecd58572ecc7824af05d50a1b5a3bc97b0dd7e024a1672409373405cd

SHA512
5b87a03d27e11bb80c429958e7750eeaaef1e2cf6010449ee7ca56bbad284ac66f890829c0dcc7b427806bec1751287697eb39c18284b8fb2db57cc46cf19a06

Download Submit
memory/1840-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1840-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2164-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2424-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2956-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2956-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing