neconyd | ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245

General

Target

ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
Size

65KB
MD5

e079554ae472591cfa93b55e24a35c22
SHA1

25b557229676cabfce708cd879fea2ddb87e7ed7
SHA256

ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245
SHA512

c894860f4443486f6ea086bab4f0d13f20823228dfbe560a9fb409c575d1afff12ae42112078567aed450785b31f223e6d9ec7a85daaf626b0d02f5c7d54509c
SSDEEP

1536:md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzF:edseIO+EZEyFjEOFqTiQmRHzF

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2888	omsecor.exe
2976	omsecor.exe
3008	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3064	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
3064	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
2888	omsecor.exe
2888	omsecor.exe
2976	omsecor.exe
2976	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2888	3064	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe	30
PID 3064 wrote to memory of 2888	3064	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe	30
PID 3064 wrote to memory of 2888	3064	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe	30
PID 3064 wrote to memory of 2888	3064	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe	30
PID 2888 wrote to memory of 2976	2888	omsecor.exe	33
PID 2888 wrote to memory of 2976	2888	omsecor.exe	33
PID 2888 wrote to memory of 2976	2888	omsecor.exe	33
PID 2888 wrote to memory of 2976	2888	omsecor.exe	33
PID 2976 wrote to memory of 3008	2976	omsecor.exe	34
PID 2976 wrote to memory of 3008	2976	omsecor.exe	34
PID 2976 wrote to memory of 3008	2976	omsecor.exe	34
PID 2976 wrote to memory of 3008	2976	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
"C:\Users\Admin\AppData\Local\Temp\ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
ef881d20ff4bce9fa93c60f50ee93efb

SHA1
bb600a25a6a577706867a30764a516f2aad80585

SHA256
6cf0d5bfdc75404b3b5bf4b3c965af1c727ef8fb51a70f539c4b298d56b6810b

SHA512
5a79ce8848c626f636897f33320ecd6875dd17f1c54ab02a9ad43db0b6ffb353af455543eba879b3d545fb3b80375456664fc7a429c93f6ab01c514f6ea72961

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
864e8c7d0f594659d80eb328f05bb986

SHA1
b587000e44a85a86d7d395c86c19a9b0e7b17eda

SHA256
dd9cd61f2636c681ce9e705f27472090c7e28ff0b6dde346b812417d3d90ddcf

SHA512
46ddac90513ccfba5242403f848a63db4001dfa50b5df46019b794ab655007a111313c0aaf21e77f3866110ce7eed704ea426a5ace7e4616b75174bb220c821e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
76dc9ae69375d0c4fd5063b96745a420

SHA1
3bcba33919f515b3c92e954844b00b893b8f75e2

SHA256
67c58b2d0b3d23cdb758efeb81e5fad0775dee9edd4c2f6dd012383748a70bf6

SHA512
9c672f978b7e414c70daf6d7dd2f02ac75826755c6b92846bdb9c0e89af935928beaab40bd77d7063b6af51aa54119bd179c59d94fe38209f49df7aecb8ef8c5

Download Submit
memory/2888-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-18-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/2976-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2976-31-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/2976-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3008-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3008-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3064-8-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/3064-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3064-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3064-10-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing