neconyd | 0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff

General

Target

0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe
Size

65KB
MD5

6967e2a07acaca6967a3b07d36fcf6ce
SHA1

3fb91fa9ff16e5fdfdcc36ce933a6abf23572651
SHA256

0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff
SHA512

ebb98b7cde43517e4de1cc2e9fed43e90c304cb41b834f4b9a1a07bda5e041ec841a7c43dd8f79342556b46ead66e94cf0d9e722f5cab9cc2445b1014277ac57
SSDEEP

1536:ud9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzd:2dseIO+EZEyFjEOFqTiQmRHzd

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1328	omsecor.exe
2416	omsecor.exe
2972	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2596	0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe
2596	0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe
1328	omsecor.exe
1328	omsecor.exe
2416	omsecor.exe
2416	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1328	2596	0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe	30
PID 2596 wrote to memory of 1328	2596	0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe	30
PID 2596 wrote to memory of 1328	2596	0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe	30
PID 2596 wrote to memory of 1328	2596	0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe	30
PID 1328 wrote to memory of 2416	1328	omsecor.exe	33
PID 1328 wrote to memory of 2416	1328	omsecor.exe	33
PID 1328 wrote to memory of 2416	1328	omsecor.exe	33
PID 1328 wrote to memory of 2416	1328	omsecor.exe	33
PID 2416 wrote to memory of 2972	2416	omsecor.exe	34
PID 2416 wrote to memory of 2972	2416	omsecor.exe	34
PID 2416 wrote to memory of 2972	2416	omsecor.exe	34
PID 2416 wrote to memory of 2972	2416	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe
"C:\Users\Admin\AppData\Local\Temp\0c476da180297e0c9d2ac21388c7fe58a44841cff88ca59ef42bae5329f5ecff.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
884f37d4acd48238d43b649ebd4d4b4b

SHA1
a451d7ccf6b8131b7ffa49ec5672a17dbe83bd3c

SHA256
b63ff6f1ead8f5cf2abedbdf516bc1e9be58eb4b9471e9e750238607d026889d

SHA512
8a1aa724861943fd527c0417fbaa452ee42bc2a1e1a98f42fd0e5280b9e8c30d680eb23924190362eb8a3ded0a3d32de84f61df6404c71a2ad1a5b74c3a2255b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
af57935c6411ed0dac9fa58d350c6c11

SHA1
d2f722908d1b8b21eccf10e592efd855d2f975cd

SHA256
a742554a7d739744ae89c84dd7c2506fd2952edcae59894fc55466ce0721987f

SHA512
11c313fb85653d4342aa5119244a3d19791423074da82ebd62b01d3a9c76c6ee1de07b904a1a6719f426418483e74b21a7c8bf2ab515b036cc3f9f9df760dcd6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
63284f28f0928647890165348f5feb39

SHA1
bf79bb7f4dcd6256b036436aec8186ed582d0dbb

SHA256
26a1cc95df4f8adfcd67ba717d3db3c4c1754fa23b5b55b5bb29e65630fe1ee5

SHA512
42dc3b87ad501473c29d9186730bade456d2bb538eef10e7c37bed1acaec3878ff25a9cb0ff2d6a9163a5c033cf50b58e56d5788053fd3fa7de5a50c48081cdb

Download Submit
memory/1328-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1328-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1328-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1328-17-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/2416-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2416-34-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2416-33-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2596-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2596-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2972-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing