neconyd | aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874

General

Target

aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe
Size

92KB
MD5

47d993f1bd5705986bdd012fd96fc70f
SHA1

4f07bd8b004d48dd25d5d74621104d7231b8f36f
SHA256

aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874
SHA512

6171987abdca94c22ffb1366f9f2982269b89914f3dbcea964016ecb379b6df401b06a6c885f74da32e6aa53d6c247a605ce52aeb0db4dc9e8c9800a554ea422
SSDEEP

1536:cd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5d:kdseIOyEZEyFjEOFqTiQm5l/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1668	omsecor.exe
1512	omsecor.exe
948	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2596	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe
2596	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe
1668	omsecor.exe
1668	omsecor.exe
1512	omsecor.exe
1512	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1668	2596	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe	30
PID 2596 wrote to memory of 1668	2596	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe	30
PID 2596 wrote to memory of 1668	2596	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe	30
PID 2596 wrote to memory of 1668	2596	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe	30
PID 1668 wrote to memory of 1512	1668	omsecor.exe	33
PID 1668 wrote to memory of 1512	1668	omsecor.exe	33
PID 1668 wrote to memory of 1512	1668	omsecor.exe	33
PID 1668 wrote to memory of 1512	1668	omsecor.exe	33
PID 1512 wrote to memory of 948	1512	omsecor.exe	34
PID 1512 wrote to memory of 948	1512	omsecor.exe	34
PID 1512 wrote to memory of 948	1512	omsecor.exe	34
PID 1512 wrote to memory of 948	1512	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe
"C:\Users\Admin\AppData\Local\Temp\aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
1aa1486631d89f1c89d18dc32cd231f8

SHA1
166fd6e3bb346e8f6ebcf2be5f21f7e026abe0c4

SHA256
b8724fa98fc644e74c5510e4a1a34e4e930aabca7fcd5d3fff742a44db8908d7

SHA512
01eb55c9be870a97e429512ecd0ffa49b210e6483028b7617d1aee1fab4768d357f68be3cb448fa29febd229d181a0fb94da7c4ad7d73b30bd2f2e355dbe2671

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
c66ba0de8996a525194840e7cc3cf964

SHA1
171a8d5d20cce2136b3a3b24883d3e7776ab723a

SHA256
08fc46286be98c5014cccf40ed3b93c9ea633b7f31683567958b4a728ae06f75

SHA512
48c6daf64229aafc5e01a51d988f264c3501da96ed7645b16c1d8bb0e5a4b170e840e16be29877dcf655a12840e86cdd61ce98bc18796266b78c5f6a1b32ba3a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
6d8fdb3d3e7aa842c612baed1a74b837

SHA1
3f164da210a393589d01aa5d65013c410019eac8

SHA256
48e8b9274fda01922bd477e2cabbcc00b05678a593784087b3e1dd5b16b41ac9

SHA512
fb8dd855da48cecfec9f11000115ca5ce9a75672150e0b78dfce58d8efe0db68abc902eaf556b0ae2dda944a9a7a375f22d9947d68577ecdec5a2599af591c28

Download Submit
memory/948-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/948-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1512-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1668-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1668-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1668-16-0x00000000002A0000-0x00000000002CB000-memory.dmp

Filesize
172KB

Download
memory/1668-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2596-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing