neconyd | ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053

General

Target

ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe
Size

76KB
MD5

3249742a7d0e3497996c9de74db29b00
SHA1

a132d9ffbe6045ab69b35a7d8acb3dfa947273c0
SHA256

ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053
SHA512

02d1fd6a4ba75049a07c05b7852dbc14a27c7a2ae69176f6e949b28f9b71c70142d44af2833dd20f0bd3f7641d1933f967e3fa1e55bbf11a488c06754172d251
SSDEEP

1536:3d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:/dseIOMEZEyFjEOFqaiQm5l/5w11H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2668	omsecor.exe
2112	omsecor.exe
2940	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2172	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe
2172	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe
2668	omsecor.exe
2668	omsecor.exe
2112	omsecor.exe
2112	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2668	2172	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe	30
PID 2172 wrote to memory of 2668	2172	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe	30
PID 2172 wrote to memory of 2668	2172	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe	30
PID 2172 wrote to memory of 2668	2172	ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe	30
PID 2668 wrote to memory of 2112	2668	omsecor.exe	32
PID 2668 wrote to memory of 2112	2668	omsecor.exe	32
PID 2668 wrote to memory of 2112	2668	omsecor.exe	32
PID 2668 wrote to memory of 2112	2668	omsecor.exe	32
PID 2112 wrote to memory of 2940	2112	omsecor.exe	33
PID 2112 wrote to memory of 2940	2112	omsecor.exe	33
PID 2112 wrote to memory of 2940	2112	omsecor.exe	33
PID 2112 wrote to memory of 2940	2112	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe
"C:\Users\Admin\AppData\Local\Temp\ade2bd01238921669158fc93493bebdd619f6f70a694139a7ad16d2161d55053N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
baf1f36155cf84fb7b0b3f63f81fba01

SHA1
9af57ba8309f096df3d7d9df28175c318c057608

SHA256
40c86f3d586f85c41a766bc0b017d7776b38825b57de189c38cce866af428516

SHA512
a4e5b21a754e4e8c374a370e22223a6bd14f355b0aecfe91cbf75005757f68101cd8a515e5ab5ece36440583f99b11aa2831b93bfa4f8c16cb295b86633082a5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
604667aa88c3a835f7ae5b999e51d821

SHA1
e3bf5c01acd4de901331e61f62342437b94895e9

SHA256
db5ad7e8175e428ded5309f5704945cbb8f9279e0104ffbac9c26581adb836db

SHA512
c94088202fb2da95a0e303fe49104ea4b25b377c811916e878d766f33700b4a967f2345e7f5dd147253603a22c9a08d02ce0a1cfe12ac74833c973dee0061b3d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
2d19cb8313a9b2fd598d4b2e257a9e42

SHA1
083b2a4a79c3f6b421fa92a4fcc73905b6af0d2c

SHA256
4a23d8f0071ecf5dc3cce66f283d1f43e238b42998ed2576b488e264f0d1001b

SHA512
6acf592397b33384c9b72153b13a6c87d64fa50f1781ce0ee44ac1ef5baf330dcdc97e1f4d4e682110f1b7db6f1f139cff55c26708bf8920efd1b63674dcf63b

Download Submit
memory/2112-37-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/2112-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2112-29-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/2112-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2172-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-16-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/2668-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2940-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing