neconyd | b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0

General

Target

b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe
Size

33KB
MD5

560142c261aa0aa95971d5488e182a80
SHA1

8b159b05a9727dfb0064f840961e8db3a3b53a74
SHA256

b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0
SHA512

fe3b293dde9e2ebb5f375c8cfd58557ba9da73a0f6fe9958c16f903baaac22be80a60dcdcf1c0a5ce2837b9b3d1307d55bc1d5130ec10d883aeb41a2868d13db
SSDEEP

768:efVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:efVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2692	omsecor.exe
1876	omsecor.exe
1968	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1508	b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe
1508	b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe
2692	omsecor.exe
2692	omsecor.exe
1876	omsecor.exe
1876	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2692	1508	b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe	31
PID 1508 wrote to memory of 2692	1508	b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe	31
PID 1508 wrote to memory of 2692	1508	b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe	31
PID 1508 wrote to memory of 2692	1508	b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe	31
PID 2692 wrote to memory of 1876	2692	omsecor.exe	34
PID 2692 wrote to memory of 1876	2692	omsecor.exe	34
PID 2692 wrote to memory of 1876	2692	omsecor.exe	34
PID 2692 wrote to memory of 1876	2692	omsecor.exe	34
PID 1876 wrote to memory of 1968	1876	omsecor.exe	35
PID 1876 wrote to memory of 1968	1876	omsecor.exe	35
PID 1876 wrote to memory of 1968	1876	omsecor.exe	35
PID 1876 wrote to memory of 1968	1876	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe
"C:\Users\Admin\AppData\Local\Temp\b4d1f4157150e3ada46cf5cf04a9c442bdb99047069eb5cf8eb2c55ef1801bf0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
8f86c5da132053cf9f9ce5fa22095026

SHA1
d301ce96b7583b3892bbd71ddf4b892fc4583a52

SHA256
bed82189bb9b5f8aef95cca39e85ffa2461c33ee38a04b7d8a56df130d38da94

SHA512
98c201a72875cb6d5849dc0d87b318a947702038a7c9fa307e725df2f8386917a9fa5463d93ac233b5f86888a027c7bc48516ca4d245003493907a3d5d8dba6c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
6cf8a37ea46956a3d144569d041225aa

SHA1
55bece5201fe1ca9f41214ece104ebc0d4fda8b5

SHA256
33b2153ba370dd773181625beeff2620a0be39730210868a9b43177b12ddaaf4

SHA512
63264b09ac5802b8dd9286a9c2338e82117cedcf1a99f88d124ab1d03035def4c6be27b7e0a47978a34d181d5d0761f90ab383ea2f4d89862659f9693b631c88

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
fe81eb50f23ecd7ed0377d9ae0b0fbef

SHA1
4a4700f0dc278fa133971667c3676b6f3e53ff74

SHA256
0d48e80ffac645f6575edeeaf2c5e757641ffeb2384a99ea63ed14b16ac481d1

SHA512
2031a2dfe3e1ec0823c3cbbe819a99cba78acb3f525c5428e29151d40a47a905c8a5826fcf4f77fe63af5fa3b72fe2c7ed5835fe0e1c7abd115d8f81ef06ee6d

Download Submit
memory/1508-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1508-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1876-44-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-48-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-46-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-26-0x0000000001F60000-0x0000000001F8A000-memory.dmp

Filesize
168KB

Download
memory/2692-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing