neconyd | 1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122eb

General

Target

1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122ebN.exe
Size

33KB
MD5

7db6c213b8b80eb3764bf9c60d7dca90
SHA1

e7cca96fb428933e6555416e3134b0169b2167f8
SHA256

1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122eb
SHA512

fd777d0fa627449ab029b443ccbe936c543fb2e405a62c4400356918a955191c7e0b40126e9a1f160854ba4557ad2b68c79d251d243ac0f54e9fa9bd2cf8cb8e
SSDEEP

768:/fVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:/fVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4824	omsecor.exe
696	omsecor.exe
3592	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122ebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 4824	2356	1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122ebN.exe	82
PID 2356 wrote to memory of 4824	2356	1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122ebN.exe	82
PID 2356 wrote to memory of 4824	2356	1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122ebN.exe	82
PID 4824 wrote to memory of 696	4824	omsecor.exe	92
PID 4824 wrote to memory of 696	4824	omsecor.exe	92
PID 4824 wrote to memory of 696	4824	omsecor.exe	92
PID 696 wrote to memory of 3592	696	omsecor.exe	93
PID 696 wrote to memory of 3592	696	omsecor.exe	93
PID 696 wrote to memory of 3592	696	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122ebN.exe
"C:\Users\Admin\AppData\Local\Temp\1885a56768f6b22bde822d77c42fabed44887a883a274d40ac8cf4b62a1122ebN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
43019209ec493e68e59c7cc7702cc9a8

SHA1
e54c0880decc72643806d89bc4ae62de456ec4b4

SHA256
c667c00bda1ab54904258ae902e218c8c41ba3a83dbd67b542c3422bb307c2fe

SHA512
8e853b21720a2e48714bb0892d0b0a86722e5e8b4a02006dda85a4fdecd1f7c0a726c4f3073fd700b79c0217c54107da1e1926a8163506dcb7d4effe3ff86fd0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
177094dc1624194202c2a950a864f041

SHA1
dbc5c8e0531a7bacf2129f8d471afca3b20ae473

SHA256
2ebad9f8f2c46b1714d2860e4bdff3642389af5be85fb30ebad1c67cf461f888

SHA512
1ce01cf5f461e9931ee25fb3064244801c6f9646759f9ea6655f40ad10dbad724cd2a805488120b5b7569a7c21a39510f1c9156a5dad9ed7fef03776efd7ca1c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
f31bce89a1b758f4d9ad6bc9558666c7

SHA1
7e93b07c5a7df5cd7ec9ade6b463e110054fe125

SHA256
a384b02f25f80412fe59f89b1b98cf80c8b6641b969bc4b2e30cd3f5f907818a

SHA512
37b9bd03ecda6bb27aef81a91ac39345b3b01156c7423431104aa8cdb7ab4847fd988b38b265392265908ae32185e41c2a6674ff266710e0c1a779223a2294ca

Download Submit
memory/696-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/696-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2356-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2356-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3592-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3592-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4824-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4824-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4824-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4824-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4824-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4824-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing