neconyd | 2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea

General

Target

2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe
Size

76KB
MD5

6351bf0b2c857a252d51c3442c498476
SHA1

684e30fb9169d36080114ae44ece8e9d206675a1
SHA256

2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea
SHA512

9ceea7634d447cfa772d744cee31d38b74697d12e44308027bd4eda508887e7c73807e112c90caaae31a9b21a2c7bae7935d203ed12b0b66e012d357b7ded083
SSDEEP

1536:5d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11J:ZdseIOMEZEyFjEOFqaiQm5l/5w11J

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2904	omsecor.exe
1868	omsecor.exe
1668	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2280	2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe
2280	2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe
2904	omsecor.exe
2904	omsecor.exe
1868	omsecor.exe
1868	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2904	2280	2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe	30
PID 2280 wrote to memory of 2904	2280	2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe	30
PID 2280 wrote to memory of 2904	2280	2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe	30
PID 2280 wrote to memory of 2904	2280	2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe	30
PID 2904 wrote to memory of 1868	2904	omsecor.exe	33
PID 2904 wrote to memory of 1868	2904	omsecor.exe	33
PID 2904 wrote to memory of 1868	2904	omsecor.exe	33
PID 2904 wrote to memory of 1868	2904	omsecor.exe	33
PID 1868 wrote to memory of 1668	1868	omsecor.exe	34
PID 1868 wrote to memory of 1668	1868	omsecor.exe	34
PID 1868 wrote to memory of 1668	1868	omsecor.exe	34
PID 1868 wrote to memory of 1668	1868	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe
"C:\Users\Admin\AppData\Local\Temp\2989d1d879a087cd860f0ba544267551a1a99b91f961258876518567bdfbfbea.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
ec8fa177728ecbde3bbcc7e74e91ca62

SHA1
6f90c073c883095b2a88c09910bca8515d7ccf2c

SHA256
1c7c0c18f3d7f4e2957298dceb63afd7001c36db9079b44b3ac0fe8087db5c47

SHA512
ee2849ef0471d748f32694e9b13309bd167aae8f6205dcb914db309e064ef92c33995bf40fd043cd788fef9f54b93ac36cbb6f8430e8b31e0bd9187f92b81ff7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
e82fb72d9232e45518e88ef92a09affb

SHA1
4d4c1557630d60f88aa6f25ceb8574f2e01e0cac

SHA256
f871547f02043169fc839f6029371fa029826b901971db6210441a922a5ab628

SHA512
5216404853fa7609dcabe7d23cbbbc5b2d5968b168d453ded8883e034d0e6ca5af13cff4a8c3c1170eb1384e470fb1179bc850be6a173d9579549b5b3576db34

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
ad04f90e49db2b3746e3e8b691e4793a

SHA1
9b5facac25f6ef6201a94b23bc1201fee67acc47

SHA256
f5cfae2809bea7a35f59bb8d77886de09dc92d0dde82c89157cae2879760bad2

SHA512
c587239867cf1ac01e9ddc8bbbd66e5d6f00ad729972a49c0e14c0837bda8cc0faa724c002030155a922ac91f4b6cff0ab621e99dfb809e9115cfa0278589ed3

Download Submit
memory/1668-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1868-29-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2280-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2904-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-17-0x00000000023E0000-0x000000000240A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing