neconyd | 1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669

General

Target

1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
Size

71KB
MD5

04f6650d9b17bcc0c0409cf712c6b0e5
SHA1

7753d3937251fb6b657fae9eb7efe221e3057a5d
SHA256

1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669
SHA512

bc7c7decc774484c3d59513e85e181287efeae2fe2b22ee45b3b85961a03957fb762928e07385d786a71c5945e2b46bccc2f1c574cc1c6ee2a92f18f68b2e564
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHV:XdseIOMEZEyFjEOFqTiQmQDHIbHV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2688	omsecor.exe
2580	omsecor.exe
2916	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2644	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
2644	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
2688	omsecor.exe
2688	omsecor.exe
2580	omsecor.exe
2580	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2688	2644	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	30
PID 2644 wrote to memory of 2688	2644	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	30
PID 2644 wrote to memory of 2688	2644	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	30
PID 2644 wrote to memory of 2688	2644	1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe	30
PID 2688 wrote to memory of 2580	2688	omsecor.exe	32
PID 2688 wrote to memory of 2580	2688	omsecor.exe	32
PID 2688 wrote to memory of 2580	2688	omsecor.exe	32
PID 2688 wrote to memory of 2580	2688	omsecor.exe	32
PID 2580 wrote to memory of 2916	2580	omsecor.exe	33
PID 2580 wrote to memory of 2916	2580	omsecor.exe	33
PID 2580 wrote to memory of 2916	2580	omsecor.exe	33
PID 2580 wrote to memory of 2916	2580	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe
"C:\Users\Admin\AppData\Local\Temp\1e3a4a2d82281040e58098f44797cb310fcc3b808639250e57e038b50f2e1669.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
dbfdda10f83c95b88c819e0b7234d638

SHA1
0681bfbbd3e20a70bac38099980fcfd678b02a97

SHA256
921848ee2904e6152136e0fcd3636293f6824dbdb41e607778d39c8a72dc16ff

SHA512
3774ecc76500cb5802847a6d6473bd93d56fb3be4a587c84ecd17de5eb367fdcc31972d3af9846df3e8355b5f8358a98558e6c4fa9093c119344e575017b7687

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
9543c45a106cc2aecb703a8e4e944826

SHA1
ee4807bb2d01fb9277609da329de7e0481a22501

SHA256
c69a99fcd240811ce7d5027e24e39d48257bd9f9063b4e164eae544d546f9f8b

SHA512
77d75a0413e40a98affe5b73fcac617d38ba8013979f463e2d0b6e3a64428a2215cf7220777834d945aa4c459a6d7e1a67ed496755f562fbdc167f60c9ebfd1e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
1a64f091aefc7440965412e9a613575b

SHA1
3768f7a07a247a8cf81044cd018e3be05f552be9

SHA256
6fb26e3417b5d52157cb480bae8381efd1a9a7255e6aa2996094106a4e93e7bf

SHA512
07816c5e3edcccd440dfcc1162a89401bf8579408ed6df6aa836f48a888878fbadfc53ba4ff4afa7bbec9863efefdacbf7bb0525c09046516ac0eaef9236f05e

Download Submit
memory/2580-27-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2580-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2644-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2688-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2688-15-0x0000000002250000-0x000000000227B000-memory.dmp

Filesize
172KB

Download
memory/2688-23-0x0000000002250000-0x000000000227B000-memory.dmp

Filesize
172KB

Download
memory/2688-21-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2916-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2916-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing