neconyd | 84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075

General

Target

84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe
Size

71KB
MD5

08a6ddae39ba4f7ac48cb82e76bf57a9
SHA1

2c0f998f05a02b4b924cf148a6a6b035c7f9bc2c
SHA256

84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075
SHA512

b97ecb9f0ea386af82ad678659a85c220bc92304e912c030159c042a2a3a7a9df9994f4b574bd44883f00c244c273456b98f92cdadc07e61bba7bcea487d2117
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHv:4dseIOMEZEyFjEOFqTiQmQDHIbHv

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2516	omsecor.exe
1812	omsecor.exe
2912	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
576	84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe
576	84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe
2516	omsecor.exe
2516	omsecor.exe
1812	omsecor.exe
1812	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2516	576	84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe	31
PID 576 wrote to memory of 2516	576	84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe	31
PID 576 wrote to memory of 2516	576	84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe	31
PID 576 wrote to memory of 2516	576	84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe	31
PID 2516 wrote to memory of 1812	2516	omsecor.exe	33
PID 2516 wrote to memory of 1812	2516	omsecor.exe	33
PID 2516 wrote to memory of 1812	2516	omsecor.exe	33
PID 2516 wrote to memory of 1812	2516	omsecor.exe	33
PID 1812 wrote to memory of 2912	1812	omsecor.exe	34
PID 1812 wrote to memory of 2912	1812	omsecor.exe	34
PID 1812 wrote to memory of 2912	1812	omsecor.exe	34
PID 1812 wrote to memory of 2912	1812	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe
"C:\Users\Admin\AppData\Local\Temp\84d47b7ef6101d7300e0f1f31ece9481abf8dde2aa76d47c8bd2d01422d2c075.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
ba9a1b08dfc147d4b07053725b5c02b8

SHA1
a099a35701c2d0886e14db90074cd90cc480ec71

SHA256
25e1f491d8457325c88c244bd42c2322160bea71c0e483d038c51a0b8e927d5d

SHA512
19525a0c1c8d0a134c8be0b42795e2aa1789ea3ef450cac07e53db4b0c5c12c187b02fed14a95cfc3b06d52cb3cb02c3e446d7fc5fa5091b2209bc4aa4363a69

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
fed1744cabdbcd081f505619aba7ccee

SHA1
116890bc81f04855c587f98c4896397765e7df65

SHA256
eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2

SHA512
8ee8d58b710df5749867ed0dd30a65fe0ed2c4a739de377e5d827f0e29f462ee4fe1ea38918b2fd80f5a16cd7ab2f083fad3eca75f18f96ee9b14736bb233d9d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
05fecf44e710ab1f3bb34331c8554b38

SHA1
a330b85e6cb4ccec785df1358187beab2af409bd

SHA256
3117e8391a994290c9e11b393537b2d06dd60db9a992bf2d58056f4f67114b27

SHA512
ed59ab67a2111e0daf39fada642c55fd91f98073ea632d5011dae8eab64ac000102e76e750cfad220dfdfbbf0b61b000c63174743878ec86cabb3f29dac5b7ab

Download Submit
memory/576-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1812-29-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/1812-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2516-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2516-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2516-16-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/2516-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing