neconyd | 26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956

General

Target

26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe
Size

136KB
MD5

38a1819803dfc20820f119d913aa1246
SHA1

4387966799e66ef266e5118efbbc8a51f908ef8b
SHA256

26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956
SHA512

4eb65fe1fb034d88719054371da49d7d7aad65f6a189828830fe3cfb5cb82044e4128acd318407f5b79bd20ca38507184f65682bcd9c89acad8ae1a3673caaa0
SSDEEP

3072:veVM037n8BMAW6J6f1tqF6dngNmaZrxS:6o9UPOQ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3148	omsecor.exe
3068	omsecor.exe
336	omsecor.exe
1048	omsecor.exe
4776	omsecor.exe
2852	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4116 set thread context of 3212	4116	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	83
PID 3148 set thread context of 3068	3148	omsecor.exe	87
PID 336 set thread context of 1048	336	omsecor.exe	109
PID 4776 set thread context of 2852	4776	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4868	4116	WerFault.exe	82
2596	3148	WerFault.exe	85
2788	336	WerFault.exe	108
2692	4776	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3212	4116	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	83
PID 4116 wrote to memory of 3212	4116	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	83
PID 4116 wrote to memory of 3212	4116	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	83
PID 4116 wrote to memory of 3212	4116	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	83
PID 4116 wrote to memory of 3212	4116	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	83
PID 3212 wrote to memory of 3148	3212	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	85
PID 3212 wrote to memory of 3148	3212	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	85
PID 3212 wrote to memory of 3148	3212	26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe	85
PID 3148 wrote to memory of 3068	3148	omsecor.exe	87
PID 3148 wrote to memory of 3068	3148	omsecor.exe	87
PID 3148 wrote to memory of 3068	3148	omsecor.exe	87
PID 3148 wrote to memory of 3068	3148	omsecor.exe	87
PID 3148 wrote to memory of 3068	3148	omsecor.exe	87
PID 3068 wrote to memory of 336	3068	omsecor.exe	108
PID 3068 wrote to memory of 336	3068	omsecor.exe	108
PID 3068 wrote to memory of 336	3068	omsecor.exe	108
PID 336 wrote to memory of 1048	336	omsecor.exe	109
PID 336 wrote to memory of 1048	336	omsecor.exe	109
PID 336 wrote to memory of 1048	336	omsecor.exe	109
PID 336 wrote to memory of 1048	336	omsecor.exe	109
PID 336 wrote to memory of 1048	336	omsecor.exe	109
PID 4776 wrote to memory of 2852	4776	omsecor.exe	113
PID 4776 wrote to memory of 2852	4776	omsecor.exe	113
PID 4776 wrote to memory of 2852	4776	omsecor.exe	113
PID 4776 wrote to memory of 2852	4776	omsecor.exe	113
PID 4776 wrote to memory of 2852	4776	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe
"C:\Users\Admin\AppData\Local\Temp\26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe
  C:\Users\Admin\AppData\Local\Temp\26ed2cf12ca492307b41428ad54f756109fc6d325fa1c16ee588c52487ddf956.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 252
        8⤵
        Program crash
        
        PID:2692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 292
        6⤵
        Program crash
        
        PID:2788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 288
      4⤵
      Program crash
      PID:2596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 288
  2⤵
  - Program crash
  PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4116 -ip 4116
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3148 -ip 3148
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 336 -ip 336
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4776 -ip 4776
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
136KB

MD5
76ba9b799817d2647804d8ef3f2fdbd3

SHA1
9ffb1870ee8afe6507b1ab08bb99bc1d93c29829

SHA256
4bae0dde148ee335c9bf1ef779ba454d2571dbb5faf1e93331bfe1258f4f2498

SHA512
fe5f475632ca9ef58b581184e4be935d0d9bd69b46215156eeb83b359ae290d66abc317845e4fec9118bfc1206f5cfc6f779eaa9b0c1351e1011189a0d5702b5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
136KB

MD5
9619bb75ac62dd5c26fd645b3950b04b

SHA1
c424d9521f9b550c12f95e1ef3008448049de234

SHA256
c8f3a4bf640d442b4e388ccb1445febb1160c5096742ea807729a6ed9b013d51

SHA512
9ffcfff842b396195ebf285b338910aa078ccfeb19f2063a0c637c56c1e54563858356b652b2fa348b52a0b6cca6d2681e6589898c0234d899ecdc1a241f4942

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
136KB

MD5
b1866938701add26cea866f3af4f461a

SHA1
c295fc12dd50a5da841aeb7b556ae6a7910be007

SHA256
90d471ca29dae1e40a78419de3e8705700adb6a92f505de8f1c11489561d81d6

SHA512
7965b5290f0a71b900598b70b8b763ea8897f6c1195cafe919d4c68a973fc3ac40eb0a1a7f8853449ac2a1fbfcd33469bb07ebea3829000ab5bc929d77d2151f

Download Submit
memory/1048-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3212-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing