neconyd | d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0

General

Target

d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
Size

65KB
MD5

094d56d2da3041bb8815811ce7b5214e
SHA1

ebaf98345d06ec97eb65029233e937f8582613b2
SHA256

d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0
SHA512

8e9e16948a84aec3539f3a249c27c6376c3e91fb85464417747c07eaa533b1c8e23eea2493400800d1adb15a69c8b730d9637714d1209b7bc23b6aa7f58a24ea
SSDEEP

1536:Bd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:xdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1396	omsecor.exe
2984	omsecor.exe
2828	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2408	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
2408	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
1396	omsecor.exe
1396	omsecor.exe
2984	omsecor.exe
2984	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1396	2408	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	30
PID 2408 wrote to memory of 1396	2408	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	30
PID 2408 wrote to memory of 1396	2408	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	30
PID 2408 wrote to memory of 1396	2408	d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe	30
PID 1396 wrote to memory of 2984	1396	omsecor.exe	33
PID 1396 wrote to memory of 2984	1396	omsecor.exe	33
PID 1396 wrote to memory of 2984	1396	omsecor.exe	33
PID 1396 wrote to memory of 2984	1396	omsecor.exe	33
PID 2984 wrote to memory of 2828	2984	omsecor.exe	34
PID 2984 wrote to memory of 2828	2984	omsecor.exe	34
PID 2984 wrote to memory of 2828	2984	omsecor.exe	34
PID 2984 wrote to memory of 2828	2984	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe
"C:\Users\Admin\AppData\Local\Temp\d7ef65fd972277829b247655aeaa985738e5eb6028bc9eaf4006ae02a79b50c0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
359a3222942fd7f53acf78503cd3595b

SHA1
9645d8586e7c5311489e28c89e31b3d26f41c5af

SHA256
1fb9d9767490839b3308779d69178300d305ea19caff320c8eabbc2a1dfafc19

SHA512
76b057054cd15a7a8b8ef1f3dd942a95a0b9a79cc0bc1b60dfbbb22334d5f2c0726b1bb55d6fadd67c74b6d65d21830d0a222d82e019023a94ea5b9aa3341432

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
26521f0097cf4c33ea552afac9df2ab5

SHA1
854af9ab740f4ec926005c2f52daf3370418c87b

SHA256
47ac4cbfa1210703bf25a27c20b066053596572269a6e5c27c7d588c16617a66

SHA512
40834de8c4d32a62cd399557f0bce853f9479dafba727f9bc5f4e3856ecf82992f7867dfc8980b0ad16bd9e828e933710be67f2bd8dae25c7a1452c7898ecd9c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
ed0d289526f1270d782827b0f36f4a5b

SHA1
845cc591c00d8cd596599b7d39191b098f3cfb6a

SHA256
c3e5e55c0ce923a1c5b13f4dc5cf4f3d31dfadb7b87c1fed8e8025fc7dc92455

SHA512
85a549755376f3f559034c4649ca274062519211483c0455b36b67079e9504512e2ac4cddcdeca58468613dc1afd6a1b9926b6ae17988aba6bf5712eb64d1171

Download Submit
memory/1396-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1396-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1396-16-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/1396-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2408-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2828-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2828-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2984-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing