neconyd | 8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32

General

Target

8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe
Size

90KB
MD5

6a95558edb58d716532ccd8add56f032
SHA1

3a31fe63998a1ad9c1e406f0e4fc0c8f0076a190
SHA256

8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32
SHA512

0f14609da9d6b048d4ca5ae9e4430db81eadd201a1a71b709d9a40d939812cbab7176f7395e75676b19d0949043aaac129a1bd3803a72ed65fbfe807726b2a09
SSDEEP

768:PMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:PbIvYvZEyFKF6N4aS5AQmZTl/5i

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2268	omsecor.exe
2280	omsecor.exe
2416	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2132	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe
2132	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe
2268	omsecor.exe
2268	omsecor.exe
2280	omsecor.exe
2280	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2268	2132	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe	30
PID 2132 wrote to memory of 2268	2132	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe	30
PID 2132 wrote to memory of 2268	2132	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe	30
PID 2132 wrote to memory of 2268	2132	8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe	30
PID 2268 wrote to memory of 2280	2268	omsecor.exe	33
PID 2268 wrote to memory of 2280	2268	omsecor.exe	33
PID 2268 wrote to memory of 2280	2268	omsecor.exe	33
PID 2268 wrote to memory of 2280	2268	omsecor.exe	33
PID 2280 wrote to memory of 2416	2280	omsecor.exe	34
PID 2280 wrote to memory of 2416	2280	omsecor.exe	34
PID 2280 wrote to memory of 2416	2280	omsecor.exe	34
PID 2280 wrote to memory of 2416	2280	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe
"C:\Users\Admin\AppData\Local\Temp\8eef017b3d7fa6ad6393f6fdbee9a9efd83f398bbb2884f555dba978e8f28b32.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
8b69984e8f68f71fc256ed37aaf60f5a

SHA1
2e37313c1338295f2f9c651aba5d0aa17cf61b1f

SHA256
1af041d349e512e5fc79e69b8ecbc53182e451e70713035eb1a73b176f63c7c8

SHA512
c442fb407ffd525824ec065d18f71c16e922fee0c003900d7c6b44d95d70026d5a8e99c96d89df6a9838aa58af8fd6749aae5b28a353969f90c52b928e791dc7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
29cd3459d428232794b9df31cbb19caa

SHA1
6e8e2ee5949daabbc1a25ec7a61191349774bf72

SHA256
8091252dcec3ecaef41412b8ee71bf1da9b63f7da038273a0a357e5a6d39be31

SHA512
c4c43acc3a2cd77924d634428c6770de2708aaa6faba4beb862d65245e9d158955a2e41ea6e1383a6f31dcc824446033b00b58b39eb409ce6f84cf664c4d7c24

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
236d9d57e2421d080c22c41f26ed9139

SHA1
5e8ac3448f2c98bbbe0208172829ca820b3fe0da

SHA256
4e73470bc3b1b6c88c6eb9f837f4b6f20fec03bea8ef9d06d4bcb5b6cc5e15b0

SHA512
671fbf206a7a7056a4b500b7911de9ff994528c33b555f3d324007d6e4008b65eceb8dffac1b6b301917b98c11b4236d082f382ec45fd3ad5658cc788fb5cb6d

Download Submit
memory/2132-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2132-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-17-0x0000000002150000-0x000000000217B000-memory.dmp

Filesize
172KB

Download
memory/2268-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2280-29-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2280-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2416-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2416-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing