neconyd | d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a

General

Target

d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
Size

92KB
MD5

4e4dbc0d7fa4ec586b9c1ec635942faf
SHA1

7977b5c48cb725afa4d7bea9b9bdc0d182c8299f
SHA256

d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a
SHA512

08533947db74605344113ebf8ea7f160bf59de80a2f4d12df382495d53f70b0c0e44b87e512c5d433b8c30aed35d4da149808306372cd2bb8325c15812d70121
SSDEEP

1536:sd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5V:UdseIOyEZEyFjEOFqTiQm5l/5V

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2444	omsecor.exe
672	omsecor.exe
2504	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2500	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
2500	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
2444	omsecor.exe
2444	omsecor.exe
672	omsecor.exe
672	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2444	2500	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe	30
PID 2500 wrote to memory of 2444	2500	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe	30
PID 2500 wrote to memory of 2444	2500	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe	30
PID 2500 wrote to memory of 2444	2500	d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe	30
PID 2444 wrote to memory of 672	2444	omsecor.exe	33
PID 2444 wrote to memory of 672	2444	omsecor.exe	33
PID 2444 wrote to memory of 672	2444	omsecor.exe	33
PID 2444 wrote to memory of 672	2444	omsecor.exe	33
PID 672 wrote to memory of 2504	672	omsecor.exe	34
PID 672 wrote to memory of 2504	672	omsecor.exe	34
PID 672 wrote to memory of 2504	672	omsecor.exe	34
PID 672 wrote to memory of 2504	672	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe
"C:\Users\Admin\AppData\Local\Temp\d8b2fea6299012d53d989148760223234af6982677f11d92b77cf2e307bd5d1a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
2311f2c6b6485ec165f981a713d5cc06

SHA1
a1b028caf711dee1fd21c0b31f372549b88ea0e0

SHA256
bb8b9780732ff626c5a94f4a34c32dfc28f8503594a768df7ed937aa7dbd104e

SHA512
ceb18eced48411ba052a5215032caa6c988247b4ef71c1a183272dfe7bd725e5de73b8c98256c17df9ef40ec5d6709104e0ae456a129f52699d7986d410f0074

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
7d6692c80d8bcc6c85f95aafa51107d7

SHA1
642ff6ec5497ef0cb349f8bc0df4d1d5dcbb2f86

SHA256
1c8b1d5b0afc54efbfe05e5eb627fb97f7b35a17789944e7b4c6514f9e35e398

SHA512
f2ee39124a54b10eb911bee6806a163af197215a24904bbe4f7f221b8cef5c92dfe300e2efb6feb813c47d462fb8a8a9622e51311fd2ea395254678aedd007da

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
6b128d4bd35524fe6eb08043bb61ac0d

SHA1
e7ee18638134a6a034c2f252cac118868961b5ef

SHA256
51694aca6f2a9d22fe65694a55426fe6560ac4428daf251e2312bd0c1e75343f

SHA512
0f8465326d03957162b2a4634ead66d5f1d1dac5eaddd088ef8414336317eb35615cc75e4cb5c501a84a761bad2e92000a98b0b9813a7a904dd3dd2be1561042

Download Submit
memory/672-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/672-37-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2444-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-17-0x0000000001FE0000-0x000000000200B000-memory.dmp

Filesize
172KB

Download
memory/2444-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2500-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2500-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2504-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2504-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing