neconyd | 32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520

General

Target

32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
Size

76KB
MD5

a9713078c7fd3535245a036aa3a9f777
SHA1

84851ede7b2b766e2dec5878fcdfbdaa817ba3b7
SHA256

32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520
SHA512

f4700e4a2546a08eca77ba4de92cf99bfae9fb0e888ca80d23065b9bbd49463691fdc3697c9e3cf2f7ebe209cffbd4562ccfeb846c276f26f2f44365290fe5af
SSDEEP

1536:Pd9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:ndseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2216	omsecor.exe
396	omsecor.exe
1996	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2924	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
2924	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
2216	omsecor.exe
2216	omsecor.exe
396	omsecor.exe
396	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2216	2924	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	31
PID 2924 wrote to memory of 2216	2924	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	31
PID 2924 wrote to memory of 2216	2924	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	31
PID 2924 wrote to memory of 2216	2924	32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe	31
PID 2216 wrote to memory of 396	2216	omsecor.exe	34
PID 2216 wrote to memory of 396	2216	omsecor.exe	34
PID 2216 wrote to memory of 396	2216	omsecor.exe	34
PID 2216 wrote to memory of 396	2216	omsecor.exe	34
PID 396 wrote to memory of 1996	396	omsecor.exe	35
PID 396 wrote to memory of 1996	396	omsecor.exe	35
PID 396 wrote to memory of 1996	396	omsecor.exe	35
PID 396 wrote to memory of 1996	396	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe
"C:\Users\Admin\AppData\Local\Temp\32f795de88acd19c31b9a5df534721c307900c4223a9ff4e520146ac6458d520.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
cfeb43c1b2dac22e3ca8b6e62dd67d3a

SHA1
62e652a6ee96d4491c95b72d5a9a794584b6ac23

SHA256
7870bf2676837f2f74ebe62ea42625844fd9b771ac324fa1147a49b622cab150

SHA512
9833e415ad121040aed8f6b46c4b8fcdcf24f7bae13f0aba02367fda8b67953da7ba65a5204eaa8db9c9e483e447a6839aa2e697cc0d75d67d183f397e38d957

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
1c3118c756f60cc8d4e7b6b04e49cfae

SHA1
333c7c34a8276cd07d8d307cf15711d58bdd3f64

SHA256
b2630c464de81b2981ee10a2578738015fbbacf40dd25205d75fb55c5a94bc28

SHA512
d46ea435b25f379484119763b0b177512399a1f8bb1383605858c2d93db16dd4efef7d57412fc35ce0242e29e1b533c97e19e5ca29468727cfe45994ea8a538e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
a377bce12bc943e8a1ce943d5655d6bf

SHA1
e45064c5d14067cf399fd9bf7ea2f19a2ceb5eae

SHA256
13dcbba7eed4a4e70e3c7b9a66456ee6906efb206fce466acfadc1dc3f53b538

SHA512
0a1e4bd4da7eb82be9e7ee38cd0f79417b33bf8557055fc6f2dabefb5f90217758079bd26466dd68df5db42eccdb6360df9d249e2ea58543b96d6e2f5e29b9d1

Download Submit
memory/396-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1996-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1996-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2216-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2216-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2216-16-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/2216-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2924-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing