neconyd | 5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a

General

Target

5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe
Size

90KB
MD5

cc222301a4a9b09492d78de247e590fa
SHA1

566fc3ff32d9fb77f4b3eaca91002ee7c287dc94
SHA256

5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a
SHA512

904862e067812a8f1a0d85876c97dbcc222884503b969e0ea1c5999a8bea5577688f02a6280785c9c42df9ee7df5ed298e0fa6affc54de6122ad27e88f0fdf85
SSDEEP

768:jMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAu:jbIvYvZEyFKF6N4aS5AQmZTl/5m

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2732	omsecor.exe
1984	omsecor.exe
3024	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2036	5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe
2036	5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe
2732	omsecor.exe
2732	omsecor.exe
1984	omsecor.exe
1984	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2732	2036	5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe	30
PID 2036 wrote to memory of 2732	2036	5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe	30
PID 2036 wrote to memory of 2732	2036	5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe	30
PID 2036 wrote to memory of 2732	2036	5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe	30
PID 2732 wrote to memory of 1984	2732	omsecor.exe	33
PID 2732 wrote to memory of 1984	2732	omsecor.exe	33
PID 2732 wrote to memory of 1984	2732	omsecor.exe	33
PID 2732 wrote to memory of 1984	2732	omsecor.exe	33
PID 1984 wrote to memory of 3024	1984	omsecor.exe	34
PID 1984 wrote to memory of 3024	1984	omsecor.exe	34
PID 1984 wrote to memory of 3024	1984	omsecor.exe	34
PID 1984 wrote to memory of 3024	1984	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe
"C:\Users\Admin\AppData\Local\Temp\5b68c337d18fabdb4e0b378783ee8c926d70ea6c43b0bebd0f8ee99ec51dd99a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
a6a1fcda1d378f15fd9310fe3ef2225a

SHA1
8ecd9fdc504072dac70d9bfae3010cda39ac5e09

SHA256
fe9b78e5539a35d7172b4532c3fdd03ce87da231e459e021e85d4cb7d9ca7f4b

SHA512
767595e525c532ef8cc21a2264428c143f2f455c93fcf8b112538eb953137dcf80ec976af5ba8ddb24f70a959c126b4b96cff6ae5343338aaa48b371deb3f6f8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
eb58b71cca721dc55f833b68fcdbee6a

SHA1
7eff1046014f905d74f76ec206fd46d9ff3a4304

SHA256
f9f096dd0da8a2b4af09747dcf0ab9d0619fe2060169aaa09daa84dfa892fdd7

SHA512
552a6ed1f7af5d475d76cf0cd6304f9d40cb80ef6e551652ce66f826c25da8d8b287c3123a13426c2a1d2d579529df48529f92915667d1f31bfce3ab1f35c51e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
ab284db4774d986f92639c05060742bf

SHA1
304c1f7ad6fe295997d74306478582c6e2621855

SHA256
fe2214c2fd99c2fc81359ffc341375164345c76d854bf9e38018098f4b272390

SHA512
5080e4a41e793a98ed013cca0a802c23c29ff8a35ccb973304e139838456dc199ca8d321d8ce30335c9ad4f134838c18a47dc4fe32162bf56e68791702cdd9f2

Download Submit
memory/1984-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1984-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1984-31-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2036-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2036-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2732-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2732-23-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2732-22-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2732-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2732-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3024-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing