neconyd | 8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28

General

Target

8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
Size

88KB
MD5

3aec4f04e9758e3fbb80b9f774907185
SHA1

13ba3a484de505ebe27e7fdfdce5f9c36451288b
SHA256

8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28
SHA512

2ddca3cd6e9af6d0bf7e9a718107191aefa3e13088f5b243c396033efcdf4331912f6c31a3f37fef87faa053a0df4adc4d5e04aac3b176b39b4d6a967dd52c32
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5r:edseIOMEZEyFjEOFqTiQm5l/5r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2504	omsecor.exe
3028	omsecor.exe
2044	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2484	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
2484	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
2504	omsecor.exe
2504	omsecor.exe
3028	omsecor.exe
3028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2504	2484	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	30
PID 2484 wrote to memory of 2504	2484	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	30
PID 2484 wrote to memory of 2504	2484	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	30
PID 2484 wrote to memory of 2504	2484	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	30
PID 2504 wrote to memory of 3028	2504	omsecor.exe	33
PID 2504 wrote to memory of 3028	2504	omsecor.exe	33
PID 2504 wrote to memory of 3028	2504	omsecor.exe	33
PID 2504 wrote to memory of 3028	2504	omsecor.exe	33
PID 3028 wrote to memory of 2044	3028	omsecor.exe	34
PID 3028 wrote to memory of 2044	3028	omsecor.exe	34
PID 3028 wrote to memory of 2044	3028	omsecor.exe	34
PID 3028 wrote to memory of 2044	3028	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
"C:\Users\Admin\AppData\Local\Temp\8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2a7b543e4d9d99723e4ed24394be9bb2

SHA1
b3dc39e31f102e7ab0383c4d319231acd3431abe

SHA256
b320cfb86fd1c6c9078f7df25ad456fa9b27ac8b519aabe868bb01549105e260

SHA512
77f50415515327ff5eedfbd24928274ff3bbe3c9e0ab9597f1aae77032071701396e21d488372b36384cc7f22b769a37708097e001b5ead3ead7860e4917e0cd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
a3cdb2e890ad089073adb95065a07eb0

SHA1
dea19873525959f2c0f330ded304cb52e5c0a1de

SHA256
90f7f7e74d17725cf5c5b9fd97ff00a3fdde70858e8f8da49a8286548e91404d

SHA512
a883ee1da88aac57bdcc1e125f40e454332a818b6350cc53a098546f74f07f03e2946dbbef47a91e336a8ea2d6d09b6442e372ab9e06499265b167359dfc126e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
c0ce6246ebbd03f3db853dfa48019264

SHA1
0c0b1f8d0e393e3e837adc56fc63126b976aec3f

SHA256
1ba5ead843bb10890bb9ba1e5440aed09e074260c1c165cd217b059eb9dba19a

SHA512
94d9eac845fac2b9c234b8eee237d115b599835c139fa589378a638a87714355d85a318ee87d25cebb4f1a57712d0facc0f0cc4008cf3970b4efa8b2a2f1f359

Download Submit

Analysis

Sharing