neconyd | 52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7

General

Target

52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
Size

71KB
MD5

21cc6c38f55dc1d69047ff39215232c0
SHA1

94c2c34f29f4446f31cfcb34a173e099d12491a5
SHA256

52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7
SHA512

5bb568df180a048c0b3030544db0bf98fc5724aa67552eba353d0adac9c1d4b35b131028dcb25497a06e1e0cc6e19cde5e6fdfaead0929a9d14964a2d1aa4b14
SSDEEP

1536:Hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHH:vdseIOMEZEyFjEOFqTiQmQDHIbHH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2524	omsecor.exe
1308	omsecor.exe
2940	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2356	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
2356	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
2524	omsecor.exe
2524	omsecor.exe
1308	omsecor.exe
1308	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2524	2356	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	30
PID 2356 wrote to memory of 2524	2356	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	30
PID 2356 wrote to memory of 2524	2356	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	30
PID 2356 wrote to memory of 2524	2356	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	30
PID 2524 wrote to memory of 1308	2524	omsecor.exe	33
PID 2524 wrote to memory of 1308	2524	omsecor.exe	33
PID 2524 wrote to memory of 1308	2524	omsecor.exe	33
PID 2524 wrote to memory of 1308	2524	omsecor.exe	33
PID 1308 wrote to memory of 2940	1308	omsecor.exe	34
PID 1308 wrote to memory of 2940	1308	omsecor.exe	34
PID 1308 wrote to memory of 2940	1308	omsecor.exe	34
PID 1308 wrote to memory of 2940	1308	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
"C:\Users\Admin\AppData\Local\Temp\52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
7d6b4ebf35a1d1cb220ad2416d8d7fde

SHA1
e619156eabb9763cb053389d89b179702e279e7c

SHA256
d3a460e4e4104aefe151dca3bd858008418217c3a7c27dbf7841706dbd24afd0

SHA512
d266ed8046cde5d5902a4a987e6297f90c1a2b013601b2285028d7485bfff1b38c98cc5cfdde40a6c61c7af234fd42e590e18aae51abef314acd98e8b8b4f998

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
43a5b41073feed1c4957a17b67cfb497

SHA1
7bd30ff115ba22f5c85bd06c13634720e19779a0

SHA256
f2b737ac09cf54c2ba558e0324d86b119c82084d0895db6de9465d960e4a9f0f

SHA512
d138ecc7602caf21ce9c987464c115645f4a8f5feffe796fdb52a7c41a566c0b2a3816aa52e413a91c3243803303de2960f489abb39a8af9c9062364c97b2950

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
0dbcbeb6bccb16a62ed99d069477e560

SHA1
c98f2d6ba6ede9363351fda666f62344b9e36ac3

SHA256
ad954455a51cddbbb7ba096df78239c10fbc34e6ff7282b3b86e897c81e6a405

SHA512
49df090f608a270795805b0666ec92b32bceb87d2f412f618122d052795fc6317af1ac9b1c59bc27f76d330e0290567759dde6656af7ba9d241ebf73b565824b

Download Submit
memory/1308-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2356-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2356-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2524-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2524-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2524-17-0x0000000001F60000-0x0000000001F8B000-memory.dmp

Filesize
172KB

Download
memory/2524-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing