neconyd | d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653

General

Target

d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe
Size

65KB
MD5

e19a4eb6cfce9d24233437ea72bcc4b0
SHA1

b143d971c9ddde73ec18c347091572efaf610fd2
SHA256

d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653
SHA512

2de3c5f0b37cb42fd217ead99f013ffb4743cb588ab4119d9c1c2eec6e9242279ee8dbf651bd86d5dd73a16d336b2c96e6eb47a6d98692699e54ff8548006230
SSDEEP

1536:rd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:bdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1632	omsecor.exe
1240	omsecor.exe
2516	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2408	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe
2408	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe
1632	omsecor.exe
1632	omsecor.exe
1240	omsecor.exe
1240	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1632	2408	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe	30
PID 2408 wrote to memory of 1632	2408	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe	30
PID 2408 wrote to memory of 1632	2408	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe	30
PID 2408 wrote to memory of 1632	2408	d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe	30
PID 1632 wrote to memory of 1240	1632	omsecor.exe	33
PID 1632 wrote to memory of 1240	1632	omsecor.exe	33
PID 1632 wrote to memory of 1240	1632	omsecor.exe	33
PID 1632 wrote to memory of 1240	1632	omsecor.exe	33
PID 1240 wrote to memory of 2516	1240	omsecor.exe	34
PID 1240 wrote to memory of 2516	1240	omsecor.exe	34
PID 1240 wrote to memory of 2516	1240	omsecor.exe	34
PID 1240 wrote to memory of 2516	1240	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe
"C:\Users\Admin\AppData\Local\Temp\d2751b13609631a0b85bb9fb27c68e765def682b31ae0a375bd872947a34f653N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
2ef3d34e6d21d522b489c091d66f5fdf

SHA1
4c6701e34e3c59a81cec328ee9ac75a636484398

SHA256
cdf48f239b4e469ba9d68826ef34d6cbd5ca107f02e4b3574d490a44727befa3

SHA512
0b861b593f132b265e8603e72c30013142b9f899568a0d42457d6d022307aacff181cead8b66337b1a7871b0c8337e343618d4cd5949cdb71e58135fbf685e21

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
3d4ffdd1ae03ed502d17dc34840efdc9

SHA1
91f3122e6a534058614d56614ba62ceb6e7671a6

SHA256
f3bfd735a6ce16de995ca0a3c31c3bcf4235d5d836edac864a7eb087c4e216f8

SHA512
aa3c5c1c5b3bfd710e0bb453d710d1b6c941d92880f8634a24afc8113de49ce3964178e7466e7988644ee574fc1d36f095b83c7d34d4656dff98a377b5443b54

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
bf42c291dbc57702050777e53da04798

SHA1
57c0d8312ed904651f2c006f6ac567b2175b4e7b

SHA256
f3ced32aad1dc6e63a529d62f4d475f652320e3fdca5f64d5a92017531f1c5ab

SHA512
1f56f71a2725b2ebcc4c2dd046b4562faddfd5ee2b3cfa9813adfbb8ef3fe86af62f913310ca917fd2619b96efb1c7a8f3b7f8ad768274bbe6d862c51a380c95

Download Submit
memory/1240-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1240-33-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1632-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1632-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1632-17-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1632-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2408-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2408-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2516-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2516-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing