neconyd | 32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520

General

Target

32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
Size

76KB
MD5

a9713078c7fd3535245a036aa3a9f777
SHA1

84851ede7b2b766e2dec5878fcdfbdaa817ba3b7
SHA256

32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520
SHA512

f4700e4a2546a08eca77ba4de92cf99bfae9fb0e888ca80d23065b9bbd49463691fdc3697c9e3cf2f7ebe209cffbd4562ccfeb846c276f26f2f44365290fe5af
SSDEEP

1536:Pd9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:ndseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2232	omsecor.exe
1752	omsecor.exe
1532	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3048	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
3048	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
2232	omsecor.exe
2232	omsecor.exe
1752	omsecor.exe
1752	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2232	3048	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	30
PID 3048 wrote to memory of 2232	3048	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	30
PID 3048 wrote to memory of 2232	3048	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	30
PID 3048 wrote to memory of 2232	3048	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	30
PID 2232 wrote to memory of 1752	2232	omsecor.exe	33
PID 2232 wrote to memory of 1752	2232	omsecor.exe	33
PID 2232 wrote to memory of 1752	2232	omsecor.exe	33
PID 2232 wrote to memory of 1752	2232	omsecor.exe	33
PID 1752 wrote to memory of 1532	1752	omsecor.exe	34
PID 1752 wrote to memory of 1532	1752	omsecor.exe	34
PID 1752 wrote to memory of 1532	1752	omsecor.exe	34
PID 1752 wrote to memory of 1532	1752	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
"C:\Users\Admin\AppData\Local\Temp\32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
cfeb43c1b2dac22e3ca8b6e62dd67d3a

SHA1
62e652a6ee96d4491c95b72d5a9a794584b6ac23

SHA256
7870bf2676837f2f74ebe62ea42625844fd9b771ac324fa1147a49b622cab150

SHA512
9833e415ad121040aed8f6b46c4b8fcdcf24f7bae13f0aba02367fda8b67953da7ba65a5204eaa8db9c9e483e447a6839aa2e697cc0d75d67d183f397e38d957

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
27a1a00918d3ecfc38e42504b89d0936

SHA1
faa22037005496a87148d7a3894ac2c08b01cc03

SHA256
92d38dc3639536f59ad20154849d0ed2eeabe9b554079d344ea0c469d4d02a66

SHA512
e05da410cea31b87fe93e3bde8db37584bffdaf4051ba5aefb5185bbc0bbfb9072344e77c8bbc529494c3f209d16c9b1a49b8ee70d68e42ba21881d0d54dc309

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
81575e45c363eaa0f2d701cd1af9e8f3

SHA1
1d61b5fe025772561a26083e6e5c3dfd977bb3d4

SHA256
0a0d3c5066db4434ae538fcf1a5bcca5c1c8c324acb7e47f0010cce252bfaa3d

SHA512
7312bec723d9d256945cbde586d8d99f2fd73555af5f1a854417ae3a72434f6a7d9e570d4993f03d33bf08c937da4cd7de7fde0c6ab5b96f6261aa9158b37fc0

Download Submit
memory/1532-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1532-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-18-0x0000000000570000-0x000000000059A000-memory.dmp

Filesize
168KB

Download
memory/2232-26-0x0000000000570000-0x000000000059A000-memory.dmp

Filesize
168KB

Download
memory/2232-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-39-0x0000000000570000-0x000000000059A000-memory.dmp

Filesize
168KB

Download
memory/2232-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-8-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/3048-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing