neconyd | eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2

General

Target

eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe
Size

71KB
MD5

fed1744cabdbcd081f505619aba7ccee
SHA1

116890bc81f04855c587f98c4896397765e7df65
SHA256

eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2
SHA512

8ee8d58b710df5749867ed0dd30a65fe0ed2c4a739de377e5d827f0e29f462ee4fe1ea38918b2fd80f5a16cd7ab2f083fad3eca75f18f96ee9b14736bb233d9d
SSDEEP

1536:Rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHv:hdseIOMEZEyFjEOFqTiQmQDHIbHv

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2384	omsecor.exe
1880	omsecor.exe
1908	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2076	eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe
2076	eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe
2384	omsecor.exe
2384	omsecor.exe
1880	omsecor.exe
1880	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2384	2076	eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe	28
PID 2076 wrote to memory of 2384	2076	eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe	28
PID 2076 wrote to memory of 2384	2076	eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe	28
PID 2076 wrote to memory of 2384	2076	eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe	28
PID 2384 wrote to memory of 1880	2384	omsecor.exe	32
PID 2384 wrote to memory of 1880	2384	omsecor.exe	32
PID 2384 wrote to memory of 1880	2384	omsecor.exe	32
PID 2384 wrote to memory of 1880	2384	omsecor.exe	32
PID 1880 wrote to memory of 1908	1880	omsecor.exe	33
PID 1880 wrote to memory of 1908	1880	omsecor.exe	33
PID 1880 wrote to memory of 1908	1880	omsecor.exe	33
PID 1880 wrote to memory of 1908	1880	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe
"C:\Users\Admin\AppData\Local\Temp\eb60f629bc961989e5bb2281d42e8d9cb23e1d5574adb2fc7873374b59a637f2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
3f04c8433451607a488a677ffb6f5381

SHA1
bd947ccd91408b410f9865978a28742590a2e519

SHA256
24f61a4a46a573fb54a948ca71e342d52ae49258426943effafc93feb35bb01a

SHA512
d33ca5b46437d88a189f101121b94e75f020709aca0b84af5958bd05d1ff51c374ff831e8078773bd66297e32bfb7f6d5e23a3ec163357fa3cc31b49647c5581

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
9b5c6bcac569971b351951bb1e34f670

SHA1
2de22673d6f8e8ccb7b492066d61d05f7bf1dec9

SHA256
f899da39a1e1625fb4262356acf386f22d87958bd0acbc8f66b3e7522f1ea5be

SHA512
409a2d4040d6c1c7d4996a2d0d86e167f849764b2f95818d409a257e5b1350b4f2f0bdb49f2e1504791cbdfff39422058d6785b32af31febdb45aef81329cf38

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
4638d4278e0e6b44090fdb5f21a84bbb

SHA1
4c0328750d5d0de9f016c8944056f884c32f3dea

SHA256
8a4c1e8c5ab3df22713780f70f1c66232b2bc82e4a760cc8186a38f83e0d6ae2

SHA512
0e711351d630aacba374e579c70aa1a010d04e26e8963752f1872a4255f2cbb2cac7f6f79a37948fa156c28aa8713452f5b9b7a345aa5e7e263f231f179c5f9f

Download Submit
memory/1880-31-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/1880-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2076-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2076-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2076-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2384-23-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2384-22-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2384-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2384-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing