neconyd | befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2

General

Target

befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe
Size

61KB
MD5

0dba0775cc9b5926f94321ce001ee641
SHA1

bf65e0f7a8ec59dcb41f18ec8b3ecd491e17732a
SHA256

befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2
SHA512

0ee85611fa9fabdcb2c8ad1480b827726f283c2f93f1ef44d21ad47a35487eab27c5c8e24c3d7bf2d220f16752d15c446fcf294f905628d0a9478f02f9f13692
SSDEEP

1536:Sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5l:idseIOMEZEyFjEOFqTiQmUl/5l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1684	omsecor.exe
1872	omsecor.exe
3048	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1860	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe
1860	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe
1684	omsecor.exe
1684	omsecor.exe
1872	omsecor.exe
1872	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1684	1860	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe	30
PID 1860 wrote to memory of 1684	1860	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe	30
PID 1860 wrote to memory of 1684	1860	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe	30
PID 1860 wrote to memory of 1684	1860	befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe	30
PID 1684 wrote to memory of 1872	1684	omsecor.exe	33
PID 1684 wrote to memory of 1872	1684	omsecor.exe	33
PID 1684 wrote to memory of 1872	1684	omsecor.exe	33
PID 1684 wrote to memory of 1872	1684	omsecor.exe	33
PID 1872 wrote to memory of 3048	1872	omsecor.exe	34
PID 1872 wrote to memory of 3048	1872	omsecor.exe	34
PID 1872 wrote to memory of 3048	1872	omsecor.exe	34
PID 1872 wrote to memory of 3048	1872	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe
"C:\Users\Admin\AppData\Local\Temp\befa2bdeeac47051ac9164f46b94dadf63aa4decb7e5007d5d6ffdf7876a52d2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4e9b2fb8c4e3eb9450f9ebe81f5ac15d

SHA1
0e4178bdadaee6a44f44b0a712236246e89ff4eb

SHA256
4eca7368eeb58ac6474cbc9e2da60904a01214e6d1b9891f77b06d8493a73fcd

SHA512
ccddcd20d0f7954b584b6f3d08f688d755187668619ed3f729e53e919728d222f9b16db8e978010373303f0cdd58beac93ed22ab058b62f0f9bb8082bd1c3be2

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
ef2ca6cc006b1df4e60afec960688f49

SHA1
49a08381a3c6a00a35ea268c27760846c24e3872

SHA256
a2b8667bfe3e45f86d3a9a211cc271edde5eba8e26dc574b73495c16248ab84d

SHA512
66bb5cc6bed3474e55d654c9093a8b75aeffcedeeafbeb8eb0afee020f402f7201476a138f5710e372dbe4a5b842318ad7e132a48ca07110aa0a444d277eb574

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
c3d49d55f3d20069a4d86b5e7eba14c5

SHA1
6592661298b7094f3c3994540ac3c60b25b08bca

SHA256
7db3407d748bb456969bf636ca86b27dacbdae259d1de2f95076b2c8e82f7844

SHA512
7b3d0538f1af6df74000e9ee0a4c34860537a24eee6e91891f550fd12b99291b8e877a6dbf5cdb0d05d5a0f4706e0cb47a9e499cc64729acf897f0891d667dfc

Download Submit

Analysis

Sharing