neconyd | 1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6

General

Target

1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
Size

65KB
MD5

c064549c82649f9e5e14e6fa3c6c011d
SHA1

459b8287523fe2a9bb354076b0b028d8fea5e52e
SHA256

1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6
SHA512

b71ca64e5513b60ae5ddd3e4f8fce324d1a32be6a463e5d802f46a8f41ea3fe05bb22f4ea647fcc2ef229d675cd2fa61d32dbc365f172154892d4d9e74ff4963
SSDEEP

1536:4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz/:IdseIO+EZEyFjEOFqTiQmRHz/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2108	omsecor.exe
2836	omsecor.exe
1500	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1708	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
1708	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
2108	omsecor.exe
2108	omsecor.exe
2836	omsecor.exe
2836	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2108	1708	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	31
PID 1708 wrote to memory of 2108	1708	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	31
PID 1708 wrote to memory of 2108	1708	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	31
PID 1708 wrote to memory of 2108	1708	1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe	31
PID 2108 wrote to memory of 2836	2108	omsecor.exe	34
PID 2108 wrote to memory of 2836	2108	omsecor.exe	34
PID 2108 wrote to memory of 2836	2108	omsecor.exe	34
PID 2108 wrote to memory of 2836	2108	omsecor.exe	34
PID 2836 wrote to memory of 1500	2836	omsecor.exe	35
PID 2836 wrote to memory of 1500	2836	omsecor.exe	35
PID 2836 wrote to memory of 1500	2836	omsecor.exe	35
PID 2836 wrote to memory of 1500	2836	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe
"C:\Users\Admin\AppData\Local\Temp\1a460dd4e9bda187bc2cac73e33eb188a448891c226ae16596e2d3ac4fafe9c6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
a4afa73a120789b79866439e80615aff

SHA1
3d2c27342bef2f3b2b001a31937953a27f42a035

SHA256
41c12c5a13626fd9c4326a3b25cac1e07bb069750250b30914088844630b7943

SHA512
934ba1dd0bea2aaf08b6d8a2e100869200269dafff79b66cf4c41ba890a7334fa2798d040292d2159fd089b0317388ffaa8c4821ece50cb1dfc2faba6c2edab4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
df7a462465ea7ce0af8492e3ca1005fd

SHA1
d89ab1d53c2439957570f53b2d7440065e5a6132

SHA256
ecb3867b2f1c622d684e09d57ccc3f8b88882a0e6fa51973e2acafed0fc0f892

SHA512
b0b21e07d3b172416e91f9d84cd53066b1bc8e79c7c6463bd1ad7124392a83541793528a9720e34402c1207b8e16f1c483580cc168d793f5bf5ef4db47f0b900

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
9b5d3729644ed10d6977c9fa6bdd8ae5

SHA1
66243a33d30b7d660a49572c3cf00e89c0bbb83a

SHA256
658b341eed7f5f61179bb8211ebc4067a316bea0f9432299d944f80ef11f18da

SHA512
1ba31edefc81f8f0f6689c10dda49527cb18c38f67bbaa779e59b8acbec422b0fb81f7bd1fefa1e940d18d7f24f65f82e785c4dd07d3ce74d21006db28ae6fbd

Download Submit
memory/1500-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1708-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1708-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1708-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2108-22-0x00000000006E0000-0x000000000070A000-memory.dmp

Filesize
168KB

Download
memory/2108-23-0x00000000006E0000-0x000000000070A000-memory.dmp

Filesize
168KB

Download
memory/2108-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2108-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2836-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2836-31-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2836-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing