neconyd | 1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3

General

Target

1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe
Size

92KB
MD5

f51e4622f42425e5e43cacdc7824a0d0
SHA1

f8bc6469df1716361173bd4281713e0181e8bf57
SHA256

1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3
SHA512

8daf68dda8b1e843b8ab20aaa6f9936635b7a25709ee61f0e0f6c3c1968126368c3c3313e9d4fba6532da2c68126a423f81c74203e9be99f2a85fc495693766b
SSDEEP

1536:Yd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:odseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1744	omsecor.exe
1660	omsecor.exe
1044	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2096	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe
2096	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe
1744	omsecor.exe
1744	omsecor.exe
1660	omsecor.exe
1660	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1744	2096	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe	30
PID 2096 wrote to memory of 1744	2096	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe	30
PID 2096 wrote to memory of 1744	2096	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe	30
PID 2096 wrote to memory of 1744	2096	1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe	30
PID 1744 wrote to memory of 1660	1744	omsecor.exe	33
PID 1744 wrote to memory of 1660	1744	omsecor.exe	33
PID 1744 wrote to memory of 1660	1744	omsecor.exe	33
PID 1744 wrote to memory of 1660	1744	omsecor.exe	33
PID 1660 wrote to memory of 1044	1660	omsecor.exe	34
PID 1660 wrote to memory of 1044	1660	omsecor.exe	34
PID 1660 wrote to memory of 1044	1660	omsecor.exe	34
PID 1660 wrote to memory of 1044	1660	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe
"C:\Users\Admin\AppData\Local\Temp\1ae422c42d28b5b470d437db502b79fff26db3fc796038f977d64e166279def3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
1297acec94d7a12a1feb51e4f4020d3a

SHA1
6fc80d6f02a77844786dadcd972d215ce298b87b

SHA256
993c389bc6bce481b7b817beaa4bcffbb8bbf4d4883e69689f0195c084ad4e73

SHA512
b0640fd6a85c55461afd3fab6711b50811d1f9ca3bbf5ba0d5370c92ead17989b981985724fc4c2fb5d03b9ffe2a14550f8be148fbdb2443a30e46194927fe9e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
1eb0192bf97ddca9f6826edacc3bf9fe

SHA1
bb8e3f725a34d6630944916800dc59e682384be6

SHA256
65b2465034b9c31755c0572e2597a76f01468292e8b64aac0f12b27870bc52ba

SHA512
5920e10eb250ca463d9f8709f53b7aeb12f52a6f61c05a624f1c121d480974329c4a8211d23611777845f1ae1945b3398185d056cd08449d6f350899e1c314cf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
992eb8f3a92a967f313eacb46db29deb

SHA1
4eae027e673c469931c7073481a10ee018f7f35a

SHA256
639faabdebb9a22183dd19bc45dc56abe779daae9c0f2387d054ec951cfb8309

SHA512
5b198f3fbfbbb19bb454db229f020bcc428a796e499834c7d2f964c73b60b81eb01a05d228a34dbb545213fb7a8e851b02af4c91117da29fd9e1809550e96e81

Download Submit
memory/1044-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1044-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1660-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-19-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/1744-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-8-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2096-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-10-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing