neconyd | 2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501

General

Target

2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe
Size

72KB
MD5

5c12566295f602c03c2318bcdc536760
SHA1

84fe4be77d660a51cb092c658ef0405657b39a42
SHA256

2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501
SHA512

a533c773df89d316cd81b3df90de69e5149acde7db032bb0557dd3eff462ee7e8db3cd4ce073aa761918f568fe949ca06daf2dc41ce6b5513b855c513a2916b3
SSDEEP

1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/52119:KdseIOMEZEyFjEOFqTiQm5l/52119

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2064	omsecor.exe
2132	omsecor.exe
2116	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2296	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe
2296	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe
2064	omsecor.exe
2064	omsecor.exe
2132	omsecor.exe
2132	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2064	2296	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe	30
PID 2296 wrote to memory of 2064	2296	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe	30
PID 2296 wrote to memory of 2064	2296	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe	30
PID 2296 wrote to memory of 2064	2296	2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe	30
PID 2064 wrote to memory of 2132	2064	omsecor.exe	33
PID 2064 wrote to memory of 2132	2064	omsecor.exe	33
PID 2064 wrote to memory of 2132	2064	omsecor.exe	33
PID 2064 wrote to memory of 2132	2064	omsecor.exe	33
PID 2132 wrote to memory of 2116	2132	omsecor.exe	34
PID 2132 wrote to memory of 2116	2132	omsecor.exe	34
PID 2132 wrote to memory of 2116	2132	omsecor.exe	34
PID 2132 wrote to memory of 2116	2132	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe
"C:\Users\Admin\AppData\Local\Temp\2ba064a25b752dc514cd91bfb7cfa8daf67903cc9e10ecf45217521c7329a501N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
fda4a3c6263c4deb3df1fa09af567393

SHA1
cea78d308c3eeebc97aa1925b3730cf60eb4203c

SHA256
52097f71539dfe850b36828ed69f768d867ca29bcdf21349d20dc5a5c67abbda

SHA512
d25ff60db6987b5d41ff02387903af50dc5d86fd27394c38537b7763be93d860557a5ae2a15f994f874f7f9fdf18fab18df17e5af826e3024d15dc8eadd8d60b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
5b19dee8e0c6d053b452e879ef7308ff

SHA1
31ea8972a8f0ea0c2be5eac22ce99f2fe890419a

SHA256
fa5e34ab72180df7046a33d98ee851454d1e4f1161c71c58837f09c6836dd7ed

SHA512
23decc12599c01fa9e86373ea48ffe1e785cae43506c72bc358bd4d6300a5c15d6352173a09b0ee4b79f9ce8bb67d96bdea122fc4fcdef7f6ec7335f6548f27c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
6c4c8b18b0736d2f51d45e96543fcf86

SHA1
a096d1346f200e88843988ed874fef54837e8219

SHA256
df4dd3e1646466794c2f58e144af767591f7e33c84804ea990732c4eaa0b1562

SHA512
deba6847ea174d6b90339167ebed270b36f332e61df72dea2972d2465946c48e8fc97fcfe62d378083e7bad086f4747b765f87f620886c8fad269bd8b3502089

Download Submit

Analysis

Sharing