neconyd | a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f

General

Target

a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
Size

90KB
MD5

a38465706d079d0ccb6ee3ac3370393f
SHA1

4c6db81007225f615f8c910cdeb959a5c95a6aeb
SHA256

a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f
SHA512

42c70b1eb2174241bf769b4b5acc99a70ef310d4b157e2e54ed512bc8ca80b73d197536bd35c77e64abb261afb819ba1d13c725db88a43991523e389adb75b87
SSDEEP

768:tMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA+:tbIvYvZEyFKF6N4aS5AQmZTl/5W

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2296	omsecor.exe
2560	omsecor.exe
2600	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2280	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
2280	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
2296	omsecor.exe
2296	omsecor.exe
2560	omsecor.exe
2560	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2296	2280	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe	28
PID 2280 wrote to memory of 2296	2280	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe	28
PID 2280 wrote to memory of 2296	2280	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe	28
PID 2280 wrote to memory of 2296	2280	a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe	28
PID 2296 wrote to memory of 2560	2296	omsecor.exe	32
PID 2296 wrote to memory of 2560	2296	omsecor.exe	32
PID 2296 wrote to memory of 2560	2296	omsecor.exe	32
PID 2296 wrote to memory of 2560	2296	omsecor.exe	32
PID 2560 wrote to memory of 2600	2560	omsecor.exe	33
PID 2560 wrote to memory of 2600	2560	omsecor.exe	33
PID 2560 wrote to memory of 2600	2560	omsecor.exe	33
PID 2560 wrote to memory of 2600	2560	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
"C:\Users\Admin\AppData\Local\Temp\a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
8c60b488dfbc5baeb6def2e229c6c752

SHA1
829563f186b5bb81341eeb955ae93f1fa681dd29

SHA256
abc77c4d6c6d87348ef5de6e04449d13d48f1f77bb8b737f8ac4d73a50c416ac

SHA512
e692b6941223e7edffac942bf54965c86e41222121035407155b5f1cf0910d983a40c29d3c4e8091dbf802985d0017b7e9a5bb5205cd9af55ed453b6d8087df9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
bfc6ed6d1bdb86f83317d47108cef7e1

SHA1
ed00576a34752ab26c93249f79a4a64aad256e4f

SHA256
4ac0089d177a93adda10b876c96267add48c03f4da45c6ece14a7ec6d9c0db39

SHA512
5f6073e252f0eddc76a307087a72e324c03a68e5b698c56ae659e4bb802110565ee24c331167b0d52d1bc282247baff86f65c966a05a9b6067f45f5cd9a881ae

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
8f99b66582a310ed618f47c10fc7491d

SHA1
3df7e65622017eb3c9888c19dac3c625c2671b68

SHA256
402e90074883a995ac67fb24305f76080777da4cefd958efebc9b21be49677ef

SHA512
f041f728215286ca4f5b29cb97127b1fd550feb096499bcb5ccfb7861866e3042294d05f4483045d2b33129ce7d53aae168cfd92ebf5882f15a3e56196db5d07

Download Submit
memory/2280-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2280-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2280-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2296-23-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2296-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2296-22-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2296-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2560-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2560-31-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/2600-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2600-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing