neconyd | 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6

General

Target

1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
Size

65KB
MD5

c064549c82649f9e5e14e6fa3c6c011d
SHA1

459b8287523fe2a9bb354076b0b028d8fea5e52e
SHA256

1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6
SHA512

b71ca64e5513b60ae5ddd3e4f8fce324d1a32be6a463e5d802f46a8f41ea3fe05bb22f4ea647fcc2ef229d675cd2fa61d32dbc365f172154892d4d9e74ff4963
SSDEEP

1536:4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz/:IdseIO+EZEyFjEOFqTiQmRHz/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2132	omsecor.exe
2360	omsecor.exe
1748	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1048	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
1048	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
2132	omsecor.exe
2132	omsecor.exe
2360	omsecor.exe
2360	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2132	1048	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	30
PID 1048 wrote to memory of 2132	1048	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	30
PID 1048 wrote to memory of 2132	1048	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	30
PID 1048 wrote to memory of 2132	1048	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	30
PID 2132 wrote to memory of 2360	2132	omsecor.exe	33
PID 2132 wrote to memory of 2360	2132	omsecor.exe	33
PID 2132 wrote to memory of 2360	2132	omsecor.exe	33
PID 2132 wrote to memory of 2360	2132	omsecor.exe	33
PID 2360 wrote to memory of 1748	2360	omsecor.exe	34
PID 2360 wrote to memory of 1748	2360	omsecor.exe	34
PID 2360 wrote to memory of 1748	2360	omsecor.exe	34
PID 2360 wrote to memory of 1748	2360	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
"C:\Users\Admin\AppData\Local\Temp\1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
6dc0c0d399ad51bf668a3e6b84e245b9

SHA1
2bfe704383f4b9292b7333e1013d9ab60b0799e3

SHA256
9c4c06a94e894ee309b6fad5e0e4cf8e17f02360605a38a5f11752abf9c6cb08

SHA512
967782a834a512466a7a2932d9d6a04202e0fb9b6fb4a1a12c1e014ccd954d0193343f295a0f03dd44c22dd7837ca6a67a6da31ca4321afb64c9c10e374f2543

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
a4afa73a120789b79866439e80615aff

SHA1
3d2c27342bef2f3b2b001a31937953a27f42a035

SHA256
41c12c5a13626fd9c4326a3b25cac1e07bb069750250b30914088844630b7943

SHA512
934ba1dd0bea2aaf08b6d8a2e100869200269dafff79b66cf4c41ba890a7334fa2798d040292d2159fd089b0317388ffaa8c4821ece50cb1dfc2faba6c2edab4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
c2e253d7050674f303bcfba555821da5

SHA1
6727fab7f9fed6ab5ebfa705cc8485b4d78cfc66

SHA256
0db6d104d698dbe57ec22f2ff2006d8ae2fbe106722d58c0c44706505eaaff29

SHA512
8d0627536237c7f40e265bdc79e1b6e95c319fc61ce063572b47be0f1372155e2d148a65cb0c9275f4aefd471308d988f8c9503b1d1332b8625ff0df709cd84d

Download Submit
memory/1048-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1048-9-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1048-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1048-4-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1748-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2132-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2132-18-0x0000000001F30000-0x0000000001F5A000-memory.dmp

Filesize
168KB

Download
memory/2132-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2360-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2360-31-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2360-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing