neconyd | 26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940

General

Target

26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe
Size

71KB
MD5

955fa5469c2126f8d2b4ddf350ee3c00
SHA1

c0d7e9e882e51c1d44af4cd46ce55f5d9ed50162
SHA256

26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940
SHA512

6c30b08fb7df523f4dc5b74f06d164db5d6420f022a74fd9c2f52cf2644b287842b269c9fce8b04f22fd9d12b5d5a1df3232e317e0930e17404e0ac189cca50f
SSDEEP

1536:Qd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:QdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1140	omsecor.exe
848	omsecor.exe
2792	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2312	26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe
2312	26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe
1140	omsecor.exe
1140	omsecor.exe
848	omsecor.exe
848	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1140	2312	26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe	30
PID 2312 wrote to memory of 1140	2312	26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe	30
PID 2312 wrote to memory of 1140	2312	26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe	30
PID 2312 wrote to memory of 1140	2312	26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe	30
PID 1140 wrote to memory of 848	1140	omsecor.exe	33
PID 1140 wrote to memory of 848	1140	omsecor.exe	33
PID 1140 wrote to memory of 848	1140	omsecor.exe	33
PID 1140 wrote to memory of 848	1140	omsecor.exe	33
PID 848 wrote to memory of 2792	848	omsecor.exe	34
PID 848 wrote to memory of 2792	848	omsecor.exe	34
PID 848 wrote to memory of 2792	848	omsecor.exe	34
PID 848 wrote to memory of 2792	848	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe
"C:\Users\Admin\AppData\Local\Temp\26d058323e818ffb41a2dc6bc503219e14c21484db0eff0738895c8f620ce940N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
941df87aa7eacc8a7acc26b3d405b06b

SHA1
ad442e15f357147b218f021bb3e74b0535fd0584

SHA256
716895f6c97c016a617d7159c4bdddb38c97108ae4c9a0fa80c0700196458f03

SHA512
3aedcea9140c1c3de01899dbc5aa015b4433e1e520dbaa6b69a143a0a537793fe6abb28e6891b4d21b20077c4e1dd6cbd8bb91b5963a37e6a69119f23eb466bc

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
1abacd77a571b6bc6548c60c9a5421ef

SHA1
c445d29ba7d1ab9fb00d6e93c500d996f8788e06

SHA256
42f61a4a33f97d3c498e4029d44d57b96f9de29e9f5a37c1357b58e1f3610b8b

SHA512
0ef162741788aa36c4939a151f8cb452416b7e725db55f728fd83a18ad956a543f5ec5cfe6e61f1771aabe222a32b4f98ff287f0dfa4435ba1bbd8caeb3aec6e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
5b0fa1258bb9a4d9053b1f19fb736cc1

SHA1
ac5c36c974c1b1efc2ef353cff0b2772cdfbffc0

SHA256
a2a01b5c8c7309bcd6e49546807e8058d16c1300e9489cf908a304b63606cd35

SHA512
40c838cfa86d2134c9306343527d4aca77611852f7566b3ac9c0fcf475812855895f8edc6b97eecdab425816405cc16b019e2ac30758891322c600143a114bdc

Download Submit
memory/848-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/848-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/848-31-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1140-19-0x0000000000370000-0x000000000039B000-memory.dmp

Filesize
172KB

Download
memory/1140-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-23-0x0000000000370000-0x000000000039B000-memory.dmp

Filesize
172KB

Download
memory/1140-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2312-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2312-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2792-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2792-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing