neconyd | a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091

General

Target

a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe
Size

65KB
MD5

cec2e18140f848a4bdf3f31242799e90
SHA1

4294a95ade835ac820e932dd61eb68e0afd10f6f
SHA256

a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091
SHA512

b7758c24b2329f1468a33c68fe2d1928e058bd035531330fdccfd52517843cabdee5740186c5a5facb64d9976ceb9f2d9bc07bb4fa289bc565ec8bbdc2d2e0af
SSDEEP

1536:Md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:0dseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2432	omsecor.exe
2948	omsecor.exe
2704	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe
2904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe
2432	omsecor.exe
2432	omsecor.exe
2948	omsecor.exe
2948	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2432	2904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe	29
PID 2904 wrote to memory of 2432	2904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe	29
PID 2904 wrote to memory of 2432	2904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe	29
PID 2904 wrote to memory of 2432	2904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe	29
PID 2432 wrote to memory of 2948	2432	omsecor.exe	31
PID 2432 wrote to memory of 2948	2432	omsecor.exe	31
PID 2432 wrote to memory of 2948	2432	omsecor.exe	31
PID 2432 wrote to memory of 2948	2432	omsecor.exe	31
PID 2948 wrote to memory of 2704	2948	omsecor.exe	32
PID 2948 wrote to memory of 2704	2948	omsecor.exe	32
PID 2948 wrote to memory of 2704	2948	omsecor.exe	32
PID 2948 wrote to memory of 2704	2948	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe
"C:\Users\Admin\AppData\Local\Temp\a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
fc36c49603228cf61cebcce15bc46691

SHA1
6961da5e331f0eaa8eee158c212248310020fde7

SHA256
eb9628489db09bdf589e532848f06019abeec57c14e205de75991a6b0f150e55

SHA512
08ee202a084b8d0800c7ec7b852693eeaa288c4d61c1f502b9a53d5a0a27c456a8d3da2fe9f7f8e2637c122e60d1a124e6ef0ae369dc964e693561ce4bf36d6a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
6ff60913bd20d3f7d5da6acdb35b053a

SHA1
e0d6e7a07f07773dd781bb509fdba847b381a727

SHA256
77596d094ddf1d48a111933fc5495f3d8190bfc2de609cc753bd040dbd900f09

SHA512
77e5309c4ca081c71645e54fd66da03dadc5f208da83aa10f05275c4a24fff32b357959430ce68c27245f45bb6f8f1fc6426be5ec8dbf20b6a0213cfc9c020eb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
68c03c4d83d873929845bb88d0824e3e

SHA1
638c67fc569cea49a21315d931a128baddafe2f4

SHA256
82ad67c8c85abdbe0a44c05e1dd857a564f29cc0712e357fa66fefec08dfba27

SHA512
ae1fb628ecb60207eba2ae3e69743cc8424a8cc21559c6ddc0b7a564f663d1134a997c40fda6b2f2b19e9bbd6d0710bfe18b09d791617a9e8e33387e1465da66

Download Submit
memory/2432-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2432-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2432-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2704-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2948-29-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2948-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing