neconyd | 4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e

General

Target

4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe
Size

76KB
MD5

7386d580dddefe874edb2d7825c51d52
SHA1

16309f985e351bc5b34d99c5ab17ad9552ba50c9
SHA256

4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e
SHA512

9b21054776bfd9462d5b6f0ebcf4f88605cb44921b0831fd1025a4d2e873501f27f45ccd366792a6e3b158594d4eaaad29afa81909c7f65e76120c2b123d11f1
SSDEEP

1536:yd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w113:CdseIOMEZEyFjEOFqaiQm5l/5w113

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2696	omsecor.exe
1128	omsecor.exe
2812	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1964	4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe
1964	4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe
2696	omsecor.exe
2696	omsecor.exe
1128	omsecor.exe
1128	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2696	1964	4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe	30
PID 1964 wrote to memory of 2696	1964	4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe	30
PID 1964 wrote to memory of 2696	1964	4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe	30
PID 1964 wrote to memory of 2696	1964	4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe	30
PID 2696 wrote to memory of 1128	2696	omsecor.exe	33
PID 2696 wrote to memory of 1128	2696	omsecor.exe	33
PID 2696 wrote to memory of 1128	2696	omsecor.exe	33
PID 2696 wrote to memory of 1128	2696	omsecor.exe	33
PID 1128 wrote to memory of 2812	1128	omsecor.exe	34
PID 1128 wrote to memory of 2812	1128	omsecor.exe	34
PID 1128 wrote to memory of 2812	1128	omsecor.exe	34
PID 1128 wrote to memory of 2812	1128	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe
"C:\Users\Admin\AppData\Local\Temp\4fbce909ae0da37ed40da1c8aab0696eb797ffc637be1cf103dc9fbca8539f2e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
dab49e619379f458c7a6582d0eeb0f1b

SHA1
1d33c576343b33626a103e29602ccdc7fb805d8a

SHA256
980663429cbf08ed014e5eea03325c92b28d886046f7b8754e38de5019fe0498

SHA512
a3266a09c344f55b447b423d7247ba9c727c48ba1ec40ec132749a5642dc9dbd10e1d2e80945fdfcb6e178c1e67e0107e6e8ef89863607823cb3916798984550

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
5ebdb3b38f74997e29445ac076d635c0

SHA1
b09feb974dee41910ede37d8f5e7362e0d582de7

SHA256
83fd5a0bdfddfec85ec76e708f9f5f625ce1fcfa0e9ecedab86915aec0535584

SHA512
c8794159d37bfe82675db136988ebbd2f262e08ffc284c243f70f12edbb5fa30e2449719744757f422e469baff851e9640f1487255dd12adeb664f84172307a1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
06045b8c1ab8a0780def9bfe02b68968

SHA1
d87eac0d03ba9f1e56eafee9f720cfb929121211

SHA256
d0179ad458e4b0f1a1a9ddf6c4a772cbfe95a8b37323a26744e7c3a8e583660f

SHA512
213c959ef8fe6102e1d824f3c2c8ef623870db5ecd69f9367842ecdc271d67166acda371e15ee16d6063ce21eb01ad700e8ad38a880cf9934a21783872302611

Download Submit
memory/1128-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1128-32-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/1964-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2696-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2696-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2696-16-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2696-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2812-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2812-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing