neconyd | e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542

General

Target

e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe
Size

33KB
MD5

b4a8013875297598e246b5cd6854d620
SHA1

854cd704e40d086dc99f220a62a56160fa6fbc1a
SHA256

e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542
SHA512

1ce62b33bdfa47ee17548a707ba1272c54468b3c2fa3cc898f94a97f34546e6161f5dd6423f84cfed72e056f0dd1c77727fc8025a471b6c1fd8975908a3491ce
SSDEEP

768:LfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7DJ:LfVRztyHo8QNHTk0qE5fslvN/956qw

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2560	omsecor.exe
1856	omsecor.exe
1824	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2556	e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe
2556	e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe
2560	omsecor.exe
2560	omsecor.exe
1856	omsecor.exe
1856	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2560	2556	e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe	30
PID 2556 wrote to memory of 2560	2556	e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe	30
PID 2556 wrote to memory of 2560	2556	e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe	30
PID 2556 wrote to memory of 2560	2556	e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe	30
PID 2560 wrote to memory of 1856	2560	omsecor.exe	33
PID 2560 wrote to memory of 1856	2560	omsecor.exe	33
PID 2560 wrote to memory of 1856	2560	omsecor.exe	33
PID 2560 wrote to memory of 1856	2560	omsecor.exe	33
PID 1856 wrote to memory of 1824	1856	omsecor.exe	34
PID 1856 wrote to memory of 1824	1856	omsecor.exe	34
PID 1856 wrote to memory of 1824	1856	omsecor.exe	34
PID 1856 wrote to memory of 1824	1856	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe
"C:\Users\Admin\AppData\Local\Temp\e5ba58b7eaf078bef1dbd69871bdf44edf22cce79bf88997f90aac04974cf542N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
a6611311d1254af8b64a7756033a65bb

SHA1
274feef1b735a2c4fcb4becae6c9d016bebcdf5e

SHA256
2d460397b8876bab36982386b7a9444aef903cfe14355df8303a8849f047aa73

SHA512
36c1bfedff36d45a27c8d35db4bb6bbe27cb83052b8b9b891dd4557200d635935f94b71033a41219ac23501b7d21f77a30d56bef7ecd6e298dd6b1d84ef35b99

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
1246f7130a55fa56376369acd4ad4263

SHA1
92a08bb4cec064fbdde940142278750cbff60138

SHA256
8d64bc402439225eda18590eaa46e47386b8f3c71c1678d6fd21322b50d9dacc

SHA512
d60d0458258991dacc9eba803759de687beee21f2e8c9399156e168deb36932251a898748c5ae6d938062ccc766029824d21ab1caa2554e8b3073f72f4246e93

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
d3e3c8942804f6c945ea09fbf49b0c80

SHA1
3315f255ce7ec933e7335c1d3a234a29b59db315

SHA256
450981b96d349b5593fe86bcc71e5e36f863979a727500d882066e340aa5b439

SHA512
eb0c843036adb19935b1f97d161b534076a4c3080c4a26892e42c7dcab5bee2e882fd7bbaa1e7bc7cdd52c3e39e88d17640323711dfc238e68cef94957cea60f

Download Submit
memory/1824-52-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1824-51-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1856-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1856-48-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1856-42-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2556-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2556-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2556-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2556-8-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2560-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2560-33-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/2560-32-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/2560-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2560-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2560-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2560-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2560-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing