neconyd | 52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7

General

Target

52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
Size

71KB
MD5

21cc6c38f55dc1d69047ff39215232c0
SHA1

94c2c34f29f4446f31cfcb34a173e099d12491a5
SHA256

52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7
SHA512

5bb568df180a048c0b3030544db0bf98fc5724aa67552eba353d0adac9c1d4b35b131028dcb25497a06e1e0cc6e19cde5e6fdfaead0929a9d14964a2d1aa4b14
SSDEEP

1536:Hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHH:vdseIOMEZEyFjEOFqTiQmQDHIbHH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2352	omsecor.exe
1032	omsecor.exe
1764	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2348	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
2348	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
2352	omsecor.exe
2352	omsecor.exe
1032	omsecor.exe
1032	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2352	2348	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	31
PID 2348 wrote to memory of 2352	2348	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	31
PID 2348 wrote to memory of 2352	2348	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	31
PID 2348 wrote to memory of 2352	2348	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	31
PID 2352 wrote to memory of 1032	2352	omsecor.exe	33
PID 2352 wrote to memory of 1032	2352	omsecor.exe	33
PID 2352 wrote to memory of 1032	2352	omsecor.exe	33
PID 2352 wrote to memory of 1032	2352	omsecor.exe	33
PID 1032 wrote to memory of 1764	1032	omsecor.exe	34
PID 1032 wrote to memory of 1764	1032	omsecor.exe	34
PID 1032 wrote to memory of 1764	1032	omsecor.exe	34
PID 1032 wrote to memory of 1764	1032	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
"C:\Users\Admin\AppData\Local\Temp\52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
7d6b4ebf35a1d1cb220ad2416d8d7fde

SHA1
e619156eabb9763cb053389d89b179702e279e7c

SHA256
d3a460e4e4104aefe151dca3bd858008418217c3a7c27dbf7841706dbd24afd0

SHA512
d266ed8046cde5d5902a4a987e6297f90c1a2b013601b2285028d7485bfff1b38c98cc5cfdde40a6c61c7af234fd42e590e18aae51abef314acd98e8b8b4f998

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
6ad2d5fb0f8e5776b33fbe13dffc1da7

SHA1
7d21220bdfff7faa2b99e2eb7c4acae4dbcc948c

SHA256
febbcc6d3bddc4f6d0bcca12c6bddca25ac823957d11e78eddda00e7cb3909a6

SHA512
7751a21cbfb8653f8fa6c00dcf6a6e627dee016ef23e56c44035e65af852df0abe2541cb7d907e321a96e71053f27c5c7c9f32e3f08e1c0836b677d6405f37ee

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
1834ad09d06dcd0ab9e5171da1fa79d5

SHA1
c1da4654a16c18260aac66c0a09b379b1afea658

SHA256
d0913239817cd6bc6cd5245a68f7eb3c249630a901c0557b0e0af5ccb4e4fb15

SHA512
a0232f79b98bffd9808386e461c77b0fb6ca6790ce3efb70088badeb8daf4cd3ace0eaceb94217cfc469609b1327467272acf864c42ec873703297139101b00a

Download Submit
memory/1032-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1032-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1032-32-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1764-41-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1764-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2348-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2348-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2348-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2352-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2352-23-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2352-24-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2352-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2352-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing