neconyd | 8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28

General

Target

8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
Size

88KB
MD5

3aec4f04e9758e3fbb80b9f774907185
SHA1

13ba3a484de505ebe27e7fdfdce5f9c36451288b
SHA256

8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28
SHA512

2ddca3cd6e9af6d0bf7e9a718107191aefa3e13088f5b243c396033efcdf4331912f6c31a3f37fef87faa053a0df4adc4d5e04aac3b176b39b4d6a967dd52c32
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5r:edseIOMEZEyFjEOFqTiQm5l/5r

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2184	omsecor.exe
2888	omsecor.exe
2792	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2148	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
2148	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
2184	omsecor.exe
2184	omsecor.exe
2888	omsecor.exe
2888	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2184	2148	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	31
PID 2148 wrote to memory of 2184	2148	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	31
PID 2148 wrote to memory of 2184	2148	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	31
PID 2148 wrote to memory of 2184	2148	8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe	31
PID 2184 wrote to memory of 2888	2184	omsecor.exe	34
PID 2184 wrote to memory of 2888	2184	omsecor.exe	34
PID 2184 wrote to memory of 2888	2184	omsecor.exe	34
PID 2184 wrote to memory of 2888	2184	omsecor.exe	34
PID 2888 wrote to memory of 2792	2888	omsecor.exe	35
PID 2888 wrote to memory of 2792	2888	omsecor.exe	35
PID 2888 wrote to memory of 2792	2888	omsecor.exe	35
PID 2888 wrote to memory of 2792	2888	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe
"C:\Users\Admin\AppData\Local\Temp\8bbf4cd485a5d6a2c3d17d88495bbf81392a9f60241d7c4cf8502688b5841c28.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2a7b543e4d9d99723e4ed24394be9bb2

SHA1
b3dc39e31f102e7ab0383c4d319231acd3431abe

SHA256
b320cfb86fd1c6c9078f7df25ad456fa9b27ac8b519aabe868bb01549105e260

SHA512
77f50415515327ff5eedfbd24928274ff3bbe3c9e0ab9597f1aae77032071701396e21d488372b36384cc7f22b769a37708097e001b5ead3ead7860e4917e0cd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
efb715e33a5975708cfc60a3d6058e5e

SHA1
70f0a920c91ad610c48051654eb99d555890306e

SHA256
ac0a05dae730abc127683a098d66966aa066b742721a4bcc10a1ea040e5e42d8

SHA512
bb80c20cced842575c9a38b8b6ff1878e098efe22e8e0457377c166da8e9c26dfeabdabb4246f126f2c04cf09096dc4f8b3bac77603ba280c4819be88ce17143

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
d6bcd2854b56d4cd6ee2f9424e38db9d

SHA1
b4286349748776e3860830373f7275ca8331ce73

SHA256
f7d3b40b9ae32c0b1ee639480a060fcbb58cd939998ea3057066530cba47209a

SHA512
bd3d0056585f958eaac23394527307a4e5a5d5f414ca06eff2e710c531bf2105961be55eb8a2cfce0e50fe87a928be4c97e3e3a72c9adad5116e36d47046486b

Download Submit

Analysis

Sharing