neconyd | b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674

General

Target

b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe
Size

90KB
MD5

7af9b5ceda1e9d155668a9e6008d3b59
SHA1

083e8c8c047248bfa49b0a74024f2564074ceef6
SHA256

b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674
SHA512

551147b5165da5a5f9312cdc7a45b57377fee556207ac393753e02178c8ec5c4bfa30a30d0f3559bb19fc0a664071ca377d0484ee792045eb8258c6e141bdfa9
SSDEEP

768:UMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA+:UbIvYvZEyFKF6N4aS5AQmZTl/5W

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2856	omsecor.exe
2380	omsecor.exe
2820	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2084	b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe
2084	b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe
2856	omsecor.exe
2856	omsecor.exe
2380	omsecor.exe
2380	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2856	2084	b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe	30
PID 2084 wrote to memory of 2856	2084	b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe	30
PID 2084 wrote to memory of 2856	2084	b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe	30
PID 2084 wrote to memory of 2856	2084	b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe	30
PID 2856 wrote to memory of 2380	2856	omsecor.exe	32
PID 2856 wrote to memory of 2380	2856	omsecor.exe	32
PID 2856 wrote to memory of 2380	2856	omsecor.exe	32
PID 2856 wrote to memory of 2380	2856	omsecor.exe	32
PID 2380 wrote to memory of 2820	2380	omsecor.exe	33
PID 2380 wrote to memory of 2820	2380	omsecor.exe	33
PID 2380 wrote to memory of 2820	2380	omsecor.exe	33
PID 2380 wrote to memory of 2820	2380	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe
"C:\Users\Admin\AppData\Local\Temp\b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
af5bb426f8ee27bca4be5a96a0427f0f

SHA1
9700cdb94ed82c9d3606a517d396540fd0b4acc0

SHA256
ff2c501d50c6da761d543af1848bee323059b2835609924e72aa10117b851d26

SHA512
d36452c25ec4d183bcf04e7c9bede891da63cf846bdecd9ea8bb036a1dc36a0a08328e1e30afcdf496fdaad5ba430d42af96dd609efe9109a967ae38dd4ab781

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
81f1ee3b8fadf4e48d37a26f2b07ef27

SHA1
92a75de0206d0a6b73f6a3543beb32f72014b3c0

SHA256
1b8aebcb91de40128c65e6234363e06be42624ba13194a54bd180a3c47745dff

SHA512
bd7c30b4c527ad645f46dd66dc5c12346c38d19c4bfcd8b16a12e9d45772c1ca019f9ade29b785357af14d93d185a2810794b5b2566b023a2e873c992dabecbc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
c322ed216be62322f88c74eb56276f88

SHA1
51a67534698ebb4690945c90a168970a9ae78abb

SHA256
248b67843e4b661c547777d8e1a9e29953c53d765ce144bf09d6f5931f501d7f

SHA512
6920f2f18af7757fafa421226cb39d48409777469257827b8d792d5b591073b63786037b4c48bb999ccf5c2bdda3110871298f5f5e50a1f6e6885c8c1b66e09a

Download Submit
memory/2084-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2084-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2380-29-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2380-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2820-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-17-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/2856-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing