neconyd | 09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433

General

Target

09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe
Size

61KB
MD5

9eadd2f05a2e7f9a08411bcd7682c2a5
SHA1

687fef93bbcf9ee18129b98ad9c448f1b8a54009
SHA256

09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433
SHA512

b45a5a65df0b58f09b5d8037aa4fcd464319be4f75bb254bdc23f48c69254012b2e0fc462fcd4e5471233bc824a211dacc3f992b1cac5ae7c61e1d8d7ebba41d
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5v:+dseIOMEZEyFjEOFqTiQmTl/5v

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Downloads MZ/PE file 1 IoCs

flow	pid	Process
43	2360	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
1504	omsecor.exe
4008	omsecor.exe
4420	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2212	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1504	3544	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe	86
PID 3544 wrote to memory of 1504	3544	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe	86
PID 3544 wrote to memory of 1504	3544	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe	86
PID 1504 wrote to memory of 4008	1504	omsecor.exe	95
PID 1504 wrote to memory of 4008	1504	omsecor.exe	95
PID 1504 wrote to memory of 4008	1504	omsecor.exe	95
PID 4008 wrote to memory of 4420	4008	omsecor.exe	96
PID 4008 wrote to memory of 4420	4008	omsecor.exe	96
PID 4008 wrote to memory of 4420	4008	omsecor.exe	96

C:\Users\Admin\AppData\Local\Temp\09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe
"C:\Users\Admin\AppData\Local\Temp\09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4420

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEQ5REY2MUQtNTM0Mi00MjlBLUE3NjMtQTI1NTM3NEVCQkQyfSIgdXNlcmlkPSJ7NDlFRTQ1NDYtRjlBMi00REZFLUEwQzgtNjRFOENCQjM3NTAxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTI5OEIwQzQtNUFCMS00ODE3LTkwNTgtOEQzRDc4NDUyRDNDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDAzNTkyOTE5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
a4d5b78954efc81183f7ae4cd2710949

SHA1
7664304056249bf62d42e42fc3fa8c8da76849e5

SHA256
8bbb1f4a4ba3bae0b390872ca05bbf7e5d68119dab28896227f5fef9c5ede3af

SHA512
5050c3c9725f077a1182262430a63254ef8d792e3d743b42f192b0be96d07b09f05c9aecae801e50adbcde97de38b98a1e8a89e2474dcdceba4d1b0272651530

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
0c9370d0974b5e4d1425e37bc63637e4

SHA1
435819f786818d7e74b7a2c80e8fb4d3533bde0d

SHA256
0fb5d4ced6b400b755818363709ad2ca9d0b55811218fb13e5e73f10a119fb52

SHA512
1174c1b629ad25da77fc5a60e1782cb451cc2552dc2d5fcfe6b42e5b77c9cb36a15e39f46da2772eea6944f68db44b0fd58d0062d88ed475298e31e0e6aa042b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
9813e731a5c253aee4b6082c8c3e5720

SHA1
dcd4eb504b03450ae8567f569374cc2caefedad8

SHA256
61cf25c451e45a5b851bf6b1ecd2cc3f93c28f000c8fc93128c01a1043b6c97b

SHA512
730bee69cc76c8cadd9c0c99f11d7d419c832b2fa753d3fb08d35498e558c57d80ace16ff77b9cc65059dfa96061aa99d859304cf5df1c82cc41bff84f7db031

Download Submit

Analysis

Sharing