neconyd | 842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce

General

Target

842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe
Size

76KB
MD5

8ae135900ab66c987e875879ef79c12f
SHA1

c4c924e2d239cf9ab476744bda5990e106dd8ea2
SHA256

842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce
SHA512

52abaa24a708d60ff96a35c23998cdd5f5f819b41848d38cf98c54cbad66aa7e9498fed4a46d774df1ea58a5542f7eb3c7abe7b38cacd302ebec5ea7309a27f9
SSDEEP

1536:Yd9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:odseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
304	omsecor.exe
2536	omsecor.exe
2268	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2144	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe
2144	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe
304	omsecor.exe
304	omsecor.exe
2536	omsecor.exe
2536	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 304	2144	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe	28
PID 2144 wrote to memory of 304	2144	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe	28
PID 2144 wrote to memory of 304	2144	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe	28
PID 2144 wrote to memory of 304	2144	842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe	28
PID 304 wrote to memory of 2536	304	omsecor.exe	32
PID 304 wrote to memory of 2536	304	omsecor.exe	32
PID 304 wrote to memory of 2536	304	omsecor.exe	32
PID 304 wrote to memory of 2536	304	omsecor.exe	32
PID 2536 wrote to memory of 2268	2536	omsecor.exe	33
PID 2536 wrote to memory of 2268	2536	omsecor.exe	33
PID 2536 wrote to memory of 2268	2536	omsecor.exe	33
PID 2536 wrote to memory of 2268	2536	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe
"C:\Users\Admin\AppData\Local\Temp\842e91e41d43d926736d4b413adf33fdf251882c4055b51db96820bc82ade3ce.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
e7a45b26e31222c3abbe1532132135e6

SHA1
907fc04d4d71af05e90e8852cdc5fa7471433f83

SHA256
d60c81c0a1b8c0857382117d44ef82d3688a3d617d6014f2742d7c345964945e

SHA512
729bd3ee42bfad802c7c879dbcf9a049bbc785237ce920d0500c97c7aaf2e85c33cfe840272d01fba42f2c316f4f315b19d45a181fe1b7abc17f8f5ea724852b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
295965c422f5895f56b7f6e1d32b63fa

SHA1
c678f73526f146baf20f05ce1e6d99f90fb1d9c5

SHA256
2259fde5ba57f621c8343b9b5ece54f63c411735b56cb819eeae634d3a784fb1

SHA512
48669bbad6d69713665dbd95a41fd432c6b4c809b93eb99cae4dec2bbdd4bfa49e211f88ae606e28fa4cb76b40473eb818c257499953c128ebe426dc18ba9dd5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
a9e722c1570e5d7b1970b52bc7fd7603

SHA1
cd8d347c61a44f4d8592e4f968e4b5eda4c5edb7

SHA256
1871f74b29092e4699af6b52626a7bf709de17f880dbddbd16e4edf3e017e4ce

SHA512
a334f3a39bf5c218de59f7a0a47a7b8a814c544ec52f497d8a78fea07a65f70bff613ef84add09a561551c131abd018dffada101c3651b4660ebcfead40424a3

Download Submit
memory/304-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/304-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/304-16-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/304-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/304-22-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/2144-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2268-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2536-29-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/2536-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing