neconyd | d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0

General

Target

d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
Size

65KB
MD5

094d56d2da3041bb8815811ce7b5214e
SHA1

ebaf98345d06ec97eb65029233e937f8582613b2
SHA256

d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0
SHA512

8e9e16948a84aec3539f3a249c27c6376c3e91fb85464417747c07eaa533b1c8e23eea2493400800d1adb15a69c8b730d9637714d1209b7bc23b6aa7f58a24ea
SSDEEP

1536:Bd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:xdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1256	omsecor.exe
3008	omsecor.exe
1004	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2420	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
2420	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
1256	omsecor.exe
1256	omsecor.exe
3008	omsecor.exe
3008	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1256	2420	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	30
PID 2420 wrote to memory of 1256	2420	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	30
PID 2420 wrote to memory of 1256	2420	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	30
PID 2420 wrote to memory of 1256	2420	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	30
PID 1256 wrote to memory of 3008	1256	omsecor.exe	33
PID 1256 wrote to memory of 3008	1256	omsecor.exe	33
PID 1256 wrote to memory of 3008	1256	omsecor.exe	33
PID 1256 wrote to memory of 3008	1256	omsecor.exe	33
PID 3008 wrote to memory of 1004	3008	omsecor.exe	34
PID 3008 wrote to memory of 1004	3008	omsecor.exe	34
PID 3008 wrote to memory of 1004	3008	omsecor.exe	34
PID 3008 wrote to memory of 1004	3008	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
"C:\Users\Admin\AppData\Local\Temp\d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
bb4ac15844b0894d2648bb27874f325d

SHA1
b8aaddb88480f45addf570f6b027494135beb1ee

SHA256
ca6d7ec7d369f15ebbac06272dbf4fb719ec93a19c4207d0ae5bde4d910fc184

SHA512
192d6e6b4691ba1ad398e1cd062a4ad44080454e113a71bfe5a0b9ff5cde3b08f2c2d315a78bd651516f563a3a97bac606a3b50e71c4352fc0416598b266d13e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
359a3222942fd7f53acf78503cd3595b

SHA1
9645d8586e7c5311489e28c89e31b3d26f41c5af

SHA256
1fb9d9767490839b3308779d69178300d305ea19caff320c8eabbc2a1dfafc19

SHA512
76b057054cd15a7a8b8ef1f3dd942a95a0b9a79cc0bc1b60dfbbb22334d5f2c0726b1bb55d6fadd67c74b6d65d21830d0a222d82e019023a94ea5b9aa3341432

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
19efd61ad5d9e9e7928276534a60ed54

SHA1
8eaa590a4601de45df8307edfc965beb6df7876f

SHA256
eed97fbe977dbb184b9b5e917e7b9e602c0dff68b7bbaf94298a09101f6a2c0a

SHA512
2c35e54063deadae6a7761ef660980c55da1aed866dba061eaaf8e2a82cc4acf81e1292cd83bec1891204bd51e42fa69ac3b2853013554ab8f8650c8abf04776

Download Submit
memory/1004-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1004-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1256-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1256-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1256-17-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1256-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2420-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2420-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3008-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing