neconyd | b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4

General

Target

b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe
Size

90KB
MD5

2569dd044ce990af33f5df5c451a1691
SHA1

03660287aba99ab8014260f97014043213887539
SHA256

b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4
SHA512

a7e7415c826d3f09620e9ddcf48e8bb2fa42c497dee00f9b2ea7fa289a1e897e05d82907daebee35a89f2f93859bcbcc1976156f5e75d996f8ee4a0df66340a8
SSDEEP

768:OMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:ObIvYvZEyFKF6N4aS5AQmZTl/5i

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1892	omsecor.exe
2680	omsecor.exe
1444	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
756	b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe
756	b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe
1892	omsecor.exe
1892	omsecor.exe
2680	omsecor.exe
2680	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1892	756	b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe	28
PID 756 wrote to memory of 1892	756	b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe	28
PID 756 wrote to memory of 1892	756	b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe	28
PID 756 wrote to memory of 1892	756	b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe	28
PID 1892 wrote to memory of 2680	1892	omsecor.exe	32
PID 1892 wrote to memory of 2680	1892	omsecor.exe	32
PID 1892 wrote to memory of 2680	1892	omsecor.exe	32
PID 1892 wrote to memory of 2680	1892	omsecor.exe	32
PID 2680 wrote to memory of 1444	2680	omsecor.exe	33
PID 2680 wrote to memory of 1444	2680	omsecor.exe	33
PID 2680 wrote to memory of 1444	2680	omsecor.exe	33
PID 2680 wrote to memory of 1444	2680	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe
"C:\Users\Admin\AppData\Local\Temp\b1341b83672a13afb533c115a99d7184212b0121d59d07b27e66199358291ab4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
60ba7bb969520cada40e1dfd08b56db0

SHA1
039b402773d6d6a6e5cef702f3f3d1e5675959a7

SHA256
41076506c9610bdf9cb4f2a41f7fd1bc6df2bfebc583a9d31630741891ba35bd

SHA512
989d7f90f97b69f82926ec1c2f3837c063e5df4200f1d38b3ac2d40029ae7d387b4c1435b15d86ff66c6d734c94c40c54bbd8987e9ae1b05d3c452d79fc6778b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
162ce6829db4030a9dd72102b82fa577

SHA1
ea97ca289a200526b1febab4cee5e198a46cce84

SHA256
d63dd5c5efa17bb802d0cb53bbadb05f5b7a913c789f363bf89e9a49e9e60f69

SHA512
92fede61c3f7592e2928d006fb75f246245cb6c70e13e2727c84088347f6591ee31b76396cbdc7fb1986f5eed3beec9544d2cf645bffcb08e55bb687a658eba0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
019b71492a04459d08685aa6c74e091d

SHA1
60b6cabfc2de1d7afd7ade5a60db2bcb354981a3

SHA256
1baf584d0710d78562aac5bb243293a42b407b8295888017fd2e70cc252b50c3

SHA512
443f38a9fb9de10916f04db0a9f380986ca2cffd1358cc26c8187d0f09f15f898a91fcefc0f1a93b488b8c4298ff35ff70f17a5a1d2f065437693810d4f4bcc5

Download Submit
memory/756-9-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/756-3-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/756-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/756-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1444-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1892-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1892-19-0x0000000001F50000-0x0000000001F7B000-memory.dmp

Filesize
172KB

Download
memory/1892-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1892-24-0x0000000001F50000-0x0000000001F7B000-memory.dmp

Filesize
172KB

Download
memory/2680-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2680-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2680-32-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing