neconyd | 909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252

General

Target

909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
Size

71KB
MD5

2cfe0f618024241fd92a21de19831700
SHA1

ae2f30105ae1b9c7751f283606fcace01f42cef5
SHA256

909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252
SHA512

d35ceadd67660fcf9d17b4a4442eac677f8a02dad6d12b494c39536e88ac936fd6e4cc5abb95068faae9251e4fa0b70e315126409047cb655db0a3c02ed82d02
SSDEEP

1536:4d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHV:IdseIOMEZEyFjEOFqTiQmQDHIbHV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3060	omsecor.exe
2156	omsecor.exe
2896	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1720	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
1720	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
3060	omsecor.exe
3060	omsecor.exe
2156	omsecor.exe
2156	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3060	1720	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe	30
PID 1720 wrote to memory of 3060	1720	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe	30
PID 1720 wrote to memory of 3060	1720	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe	30
PID 1720 wrote to memory of 3060	1720	909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe	30
PID 3060 wrote to memory of 2156	3060	omsecor.exe	33
PID 3060 wrote to memory of 2156	3060	omsecor.exe	33
PID 3060 wrote to memory of 2156	3060	omsecor.exe	33
PID 3060 wrote to memory of 2156	3060	omsecor.exe	33
PID 2156 wrote to memory of 2896	2156	omsecor.exe	34
PID 2156 wrote to memory of 2896	2156	omsecor.exe	34
PID 2156 wrote to memory of 2896	2156	omsecor.exe	34
PID 2156 wrote to memory of 2896	2156	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe
"C:\Users\Admin\AppData\Local\Temp\909fc26349727f0151f6f1a86beccc485581e5e394e5395645dbe2646ac66252N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
1a920717444a48152301011218da690b

SHA1
881ed6183cf768ef3e5d251518d22cd709e64279

SHA256
2af946ab4b09d4683a6b6324e5c59c15d16a4915ae9ebf48f6e90e4b3bd7d549

SHA512
dfa8818dcf05e5d6b341c3e6858a326e2e11a4ee6d93388c1f054315b77721fc37fc8a20046e930d4b956822816de2038e7f995ee0c5706c6ea5bc27544fd2d0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
3d4c1b4a80079f92081d7b717b5dec14

SHA1
e38c94a105fe22170867265fda6b21cb488ef593

SHA256
6154f5564da21adb6a7ae377a242ec97f0d7600f11e0843048c3eb10fe7db145

SHA512
89527adaef13f6b10c615878242ea1ad73835d2156613c068a6c1c2e2bf4972d0916b1a83e3cfe5ee5fd3a6aec51b0931985d1b18b056ebaf7b3b77ade97e9d0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
7317e23ec6aac0cc6141cee6d48d3d25

SHA1
f97405770b56c782d25a035f0b242d3fb9542143

SHA256
c69348ba02dbaa7a1cfa3132eed03e71bdb05502495b55e433fbef6f6f0c20f2

SHA512
e19193e9117f65bc29bc7ea3f073090f42cf1ef42d868ee372daa2196ccd13cf7087c482dda26258bd40e4362720be1828476ba87e32191ded3e4246e26637aa

Download Submit
memory/1720-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1720-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2156-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2156-27-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2156-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2896-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3060-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3060-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3060-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing