neconyd | fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe

General

Target

fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
Size

80KB
MD5

b1f8acd97175c71200908ec76ccf7906
SHA1

6c276b3aa94849880068b9f1c25490cc4e9e7152
SHA256

fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe
SHA512

489d8d4f949677a5784035d297561d883c7260492247504c107918847b49d02fdea5cf1b553dabb7ba163d1108fb4c93e12253d03ca58582268308ada1dc4c9c
SSDEEP

768:tfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAO:tfbIvYvZEyFKF6N4yS+AQmZTl/5m

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1128	omsecor.exe
2868	omsecor.exe
668	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
2116	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
1128	omsecor.exe
1128	omsecor.exe
2868	omsecor.exe
2868	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1128	2116	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe	30
PID 2116 wrote to memory of 1128	2116	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe	30
PID 2116 wrote to memory of 1128	2116	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe	30
PID 2116 wrote to memory of 1128	2116	fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe	30
PID 1128 wrote to memory of 2868	1128	omsecor.exe	33
PID 1128 wrote to memory of 2868	1128	omsecor.exe	33
PID 1128 wrote to memory of 2868	1128	omsecor.exe	33
PID 1128 wrote to memory of 2868	1128	omsecor.exe	33
PID 2868 wrote to memory of 668	2868	omsecor.exe	34
PID 2868 wrote to memory of 668	2868	omsecor.exe	34
PID 2868 wrote to memory of 668	2868	omsecor.exe	34
PID 2868 wrote to memory of 668	2868	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe
"C:\Users\Admin\AppData\Local\Temp\fb7d8dab0cc81f04533ac27f173c24971d79cb57659ea96f881d1e6c7a8530fe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
d7e912cd743b0bd5519d91debc0fc60c

SHA1
3f8d71605c781afd0336e98cb243ff9662ab4b8e

SHA256
cd1961b57e562b8b8f5d9cd0d76bb72b3c29879fee45c4fb5b21f1c95aa572d1

SHA512
c4af01cfb02b7bc12bede6e2a769c3137351fe3474a8d63c55ff3dde0d2abe5d729bd2c34d1a53a07ca1827a5218b1754a9b899041147e1b7c2930c9127f9da5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
0813eea1a1e36ac4e2a6c9dd5e8835c8

SHA1
476739c4340f206b31166f1360e0a1e716cab636

SHA256
0daceeed1c912cba9a0cfb4efc7f403a4bb692c57325cb5e59c68bf901d88870

SHA512
80df1fe63850c90eb1ed5a765bc9afbd7778a0b9a639fb57b6d922184119e19158d8ec044ea473f78b6221d6e404fb4cf5b2740d311bcea8ed61437e98e3aa8d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
f44fecf2a2db7f5e73aebbd0aef97ab0

SHA1
2268cc507f8ce4105ed23b8fb7029e878ed08bac

SHA256
43a4fb7ace01316cddd48c8681acd0d71ef7a0cadc62669fe097cdfa9c14628a

SHA512
fb1fa1d62667935c7305657f88b6d9627f57fec72c6e9ff8b596d7a027433c892fc031cdad32277c2e1e6afd224024c27342f990b5fa208d2de98147c3744043

Download Submit

Analysis

Sharing