neconyd | 269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422

General

Target

269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe
Size

65KB
MD5

12837701a685d2ba352082487de57f85
SHA1

0d292469a0d5ee7cddb0ab8fe184bc22b9cab876
SHA256

269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422
SHA512

ed2347e9ee9115a39bfff507ca665b655fc2e41dc2b9c6ef703afe13108964cd9da76d79cc71fbf4fa1ad0a522bba81f0a402fe315f76be6bce003ebf48c0356
SSDEEP

1536:Ud9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:sdseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2916	omsecor.exe
1332	omsecor.exe
3068	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1820	269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe
1820	269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe
2916	omsecor.exe
2916	omsecor.exe
1332	omsecor.exe
1332	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2916	1820	269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe	29
PID 1820 wrote to memory of 2916	1820	269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe	29
PID 1820 wrote to memory of 2916	1820	269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe	29
PID 1820 wrote to memory of 2916	1820	269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe	29
PID 2916 wrote to memory of 1332	2916	omsecor.exe	31
PID 2916 wrote to memory of 1332	2916	omsecor.exe	31
PID 2916 wrote to memory of 1332	2916	omsecor.exe	31
PID 2916 wrote to memory of 1332	2916	omsecor.exe	31
PID 1332 wrote to memory of 3068	1332	omsecor.exe	32
PID 1332 wrote to memory of 3068	1332	omsecor.exe	32
PID 1332 wrote to memory of 3068	1332	omsecor.exe	32
PID 1332 wrote to memory of 3068	1332	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe
"C:\Users\Admin\AppData\Local\Temp\269197fcebf553dac1bb0f65600619a4a2b11bba023511abe61cb028e8c7e422.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
e0ba6b89326454c613cdd789ba521c55

SHA1
4ff47d99ae6a85c378aea320b5603766a6d40078

SHA256
651ff0bcf533a0b074e90290e36fdeac5c5b41366256cf4dd67d645476538093

SHA512
0ec95d92446e50130981a8237e6e70bafc8aea6a33e4a5c40e0d0dc45feba24d0d82e1b1ffb5fd982ff69b0a3ea47c9660deda163f66849ab13edb6be1b5fb86

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
c8b7ec2ac51daec071c8d144d7f6f028

SHA1
dafe9c2b4279bcf3870c4ebeceefc6b6db032364

SHA256
2e6c841ed98cd996a62ec4c620d412020eefe36dfb72a77539688b0f2d20baf8

SHA512
6070f0cf09ddd4a1acc8b89a2f7b9eab98eb3e411b78e229d6c63b15c1a284a7af6dcc5c6e3c4d7253fbc67dd9cacb5871e7870e0f6d140f4a90889b4bb096c2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
399e74807d7497a0bad82e34e2321e8f

SHA1
db43df40e2de5864ac2e51c6f382954b5f6dd8f9

SHA256
72a644f892f190129dfcfdd63230bce080ec66b545f5117bda9c15ea8826427f

SHA512
237b8599c69cb14106d4d71c5177e8a48344155d2bda8f8733fd4a0b2d6e8c331f60693391191ca55cae95d89c91dfbfe3f8cf86bc829f89c6c33ef7a803dcfa

Download Submit
memory/1332-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1820-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1820-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1820-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2916-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2916-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2916-23-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/2916-18-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/3068-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3068-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing