neconyd | ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52

General

Target

ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe
Size

70KB
MD5

f188a8c2e84ed1be1d02a7b2a248eb40
SHA1

eef8a31ae6d45f8992fbb40fee3fd331d5fa462a
SHA256

ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52
SHA512

bc3da1760d0f4970315e48b034fc028d7542b7f6f9cad1ca4e39264a61622f350e2ab9c323c8d7d160934e0f99152ec781616c40c3fc99221edf4676ea3958f6
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF+N4yS+AQmZsDHNzfE:kdseIOMEZEyFjEOFuTiQm+DHNzfE

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2812	omsecor.exe
1352	omsecor.exe
1832	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2788	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe
2788	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe
2812	omsecor.exe
2812	omsecor.exe
1352	omsecor.exe
1352	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2812	2788	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe	31
PID 2788 wrote to memory of 2812	2788	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe	31
PID 2788 wrote to memory of 2812	2788	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe	31
PID 2788 wrote to memory of 2812	2788	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe	31
PID 2812 wrote to memory of 1352	2812	omsecor.exe	33
PID 2812 wrote to memory of 1352	2812	omsecor.exe	33
PID 2812 wrote to memory of 1352	2812	omsecor.exe	33
PID 2812 wrote to memory of 1352	2812	omsecor.exe	33
PID 1352 wrote to memory of 1832	1352	omsecor.exe	34
PID 1352 wrote to memory of 1832	1352	omsecor.exe	34
PID 1352 wrote to memory of 1832	1352	omsecor.exe	34
PID 1352 wrote to memory of 1832	1352	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe
"C:\Users\Admin\AppData\Local\Temp\ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
70KB

MD5
f572df81092422c9dd0d6612733c8e11

SHA1
0c10742e81376d0185171ed9c62b4833a3ad738a

SHA256
6329224fa74b7698e5b7954ec88e8bf33b0052b4b475d0e8db7fbff19a313007

SHA512
7b3b800513bc2dc6de0ed1103dc2ce2ec7b003a41207b05730178df2d658cf42c033e11cf3c55730b7126def43be9f4073171efd63d71f28a2cc08d3437ade55

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
70KB

MD5
a005cc6ccacd9f300b0b7da5a7582892

SHA1
994fe20b2220e528a2d6545fca735299e3f18359

SHA256
d1069f0b299c45e65b57974cb737be4419ca7db18c47d5f9ccdd9cd5e2f1b78a

SHA512
663ae2caac6d154d5ad08c5986041aaf973d26c2e46a2144b8efae765ed0a313ed55f0e11990889649a0ce4cf11c6b0ea4b187d6f4e3276516a69229d48bf8c6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
70KB

MD5
ace9acb8ddb30d27353adc728d26240f

SHA1
b23b6a62b1019aedc16cef1940c39a972ef78a89

SHA256
47d85dffe215b39fac667c363a992a290016abc3f31b30d3c0a148816b08e1db

SHA512
39e5f674f51cbf20e2eb3c74813e47da0210db766f42027158d06c58ba6bd07fc93631a8019b164045d03a4c2bb994deafe29c3bf1250babf87652bc6ae245b9

Download Submit
memory/1352-30-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/1352-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1832-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2788-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2788-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2812-25-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/2812-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2812-17-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/2812-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2812-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing