neconyd | ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245

General

Target

ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
Size

65KB
MD5

e079554ae472591cfa93b55e24a35c22
SHA1

25b557229676cabfce708cd879fea2ddb87e7ed7
SHA256

ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245
SHA512

c894860f4443486f6ea086bab4f0d13f20823228dfbe560a9fb409c575d1afff12ae42112078567aed450785b31f223e6d9ec7a85daaf626b0d02f5c7d54509c
SSDEEP

1536:md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzF:edseIO+EZEyFjEOFqTiQmRHzF

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Downloads MZ/PE file 1 IoCs

flow	pid	Process
42	4444	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
4964	omsecor.exe
1944	omsecor.exe
1588	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3040	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 4964	1340	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe	86
PID 1340 wrote to memory of 4964	1340	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe	86
PID 1340 wrote to memory of 4964	1340	ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe	86
PID 4964 wrote to memory of 1944	4964	omsecor.exe	100
PID 4964 wrote to memory of 1944	4964	omsecor.exe	100
PID 4964 wrote to memory of 1944	4964	omsecor.exe	100
PID 1944 wrote to memory of 1588	1944	omsecor.exe	101
PID 1944 wrote to memory of 1588	1944	omsecor.exe	101
PID 1944 wrote to memory of 1588	1944	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe
"C:\Users\Admin\AppData\Local\Temp\ce0a433f67215ca5029a690c00df619ad4d2340bae15a6644e35efe068b6b245.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1588

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjZENjkwNDgtNjRENC00MEY4LTg3QjktQzM5Q0EwRTcxNUEzfSIgdXNlcmlkPSJ7Q0RDMkFBNzMtMTA4Qi00NDkyLTk2NDgtRDNBRUQyQkIxMjdFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjlCNjRFNzAtNzNCOS00NkQ4LThCRDItNzJFQkY0OUFCOUE3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDM1MzUzNTcwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
9f07e0a2d63c4b975a794edd950e980f

SHA1
b08866597e31a689e614d5a484d595560f9073ef

SHA256
ddb686a4957be12bf04872ab755560a261a71fa030b867fcf18fa251dcbf47eb

SHA512
efd3ed881601e77ae41080776862d0badfd42f49e227db8ccffe73fa500f894e43913407111b659b37b6c460063ceacdb1060596ec47824f8dc151abcca775d3

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
864e8c7d0f594659d80eb328f05bb986

SHA1
b587000e44a85a86d7d395c86c19a9b0e7b17eda

SHA256
dd9cd61f2636c681ce9e705f27472090c7e28ff0b6dde346b812417d3d90ddcf

SHA512
46ddac90513ccfba5242403f848a63db4001dfa50b5df46019b794ab655007a111313c0aaf21e77f3866110ce7eed704ea426a5ace7e4616b75174bb220c821e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
dbe4b34164de5dd0c62d74bbf9557c41

SHA1
0e709b7d24a2719161dd62525d0c4ff7a3a8bbc2

SHA256
3b15f5cfc6a2469dd52ab695e67b5240f08f3745442ec24ef77757c025514398

SHA512
3c0dc69b62e1c72c3eaadfa9c425be30ae8a6d453a83bb62d96cbd551682b81d93beae6f590578b3616b658404818ab1bef3e4dac9689726961920e89fa8ce14

Download Submit
memory/1340-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1340-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1588-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1588-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1944-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1944-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4964-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4964-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4964-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing