neconyd | 1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669

General

Target

1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
Size

71KB
MD5

04f6650d9b17bcc0c0409cf712c6b0e5
SHA1

7753d3937251fb6b657fae9eb7efe221e3057a5d
SHA256

1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669
SHA512

bc7c7decc774484c3d59513e85e181287efeae2fe2b22ee45b3b85961a03957fb762928e07385d786a71c5945e2b46bccc2f1c574cc1c6ee2a92f18f68b2e564
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHV:XdseIOMEZEyFjEOFqTiQmQDHIbHV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2364	omsecor.exe
2996	omsecor.exe
2740	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
1740	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
2364	omsecor.exe
2364	omsecor.exe
2996	omsecor.exe
2996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2364	1740	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	30
PID 1740 wrote to memory of 2364	1740	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	30
PID 1740 wrote to memory of 2364	1740	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	30
PID 1740 wrote to memory of 2364	1740	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	30
PID 2364 wrote to memory of 2996	2364	omsecor.exe	33
PID 2364 wrote to memory of 2996	2364	omsecor.exe	33
PID 2364 wrote to memory of 2996	2364	omsecor.exe	33
PID 2364 wrote to memory of 2996	2364	omsecor.exe	33
PID 2996 wrote to memory of 2740	2996	omsecor.exe	34
PID 2996 wrote to memory of 2740	2996	omsecor.exe	34
PID 2996 wrote to memory of 2740	2996	omsecor.exe	34
PID 2996 wrote to memory of 2740	2996	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
"C:\Users\Admin\AppData\Local\Temp\1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
9543c45a106cc2aecb703a8e4e944826

SHA1
ee4807bb2d01fb9277609da329de7e0481a22501

SHA256
c69a99fcd240811ce7d5027e24e39d48257bd9f9063b4e164eae544d546f9f8b

SHA512
77d75a0413e40a98affe5b73fcac617d38ba8013979f463e2d0b6e3a64428a2215cf7220777834d945aa4c459a6d7e1a67ed496755f562fbdc167f60c9ebfd1e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
ec998c1fde6df825989863ffa44461c8

SHA1
c1845099ae5329712392b6fb9310381ab41c74ff

SHA256
9fc856803f5474f7eb1ddab036f0d5a885704fd1492ceedf4b8c800efd4a1119

SHA512
38e44548073b81bebbd1cf9f4d2fbeec8a9ba5d90a327c3bf0ccf43431a34cd7d0c1483169bcfaa0302eadace8cc75aebae344d59eba6f21a25ff6f3a9f0baa0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
4be50df3892ea72abb22811f1a9932bb

SHA1
3c5b6b53b5389459a6bffaa532af6b956fdfc845

SHA256
572b0ebbced01501759d85b710fd69a7355e90350c718d240a087a021b142b90

SHA512
3e33daef38dc436407a09b38f102f04615972149cb2f8d8f382fbc31fa0e949245aba20e5f74da5b9a3b0db02d78aaa50dadc69e61a0460316b9b8c9dd7a318a

Download Submit
memory/1740-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1740-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2364-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2364-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2364-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2740-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2740-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing