neconyd | 87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd

General

Target

87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
Size

65KB
MD5

f4d23a12b91eabc6b0ab6d74b3165840
SHA1

e3e5761bb1d5155fc4f8d83ee53877bcbf8aeeca
SHA256

87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd
SHA512

62cc1168ad0c21ca1dbd636b453577d147e2b4d15c17f6e26b516f9f8bb7417b843235aebd4c50f4b8a8986d06b84cc4b810ed240faac4ba643728f489b93886
SSDEEP

1536:Od9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:WdseIO+EZEyFjEOFqTiQmRHzl

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2868	omsecor.exe
3028	omsecor.exe
2968	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2708	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
2708	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
2868	omsecor.exe
2868	omsecor.exe
3028	omsecor.exe
3028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2868	2708	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe	31
PID 2708 wrote to memory of 2868	2708	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe	31
PID 2708 wrote to memory of 2868	2708	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe	31
PID 2708 wrote to memory of 2868	2708	87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe	31
PID 2868 wrote to memory of 3028	2868	omsecor.exe	33
PID 2868 wrote to memory of 3028	2868	omsecor.exe	33
PID 2868 wrote to memory of 3028	2868	omsecor.exe	33
PID 2868 wrote to memory of 3028	2868	omsecor.exe	33
PID 3028 wrote to memory of 2968	3028	omsecor.exe	34
PID 3028 wrote to memory of 2968	3028	omsecor.exe	34
PID 3028 wrote to memory of 2968	3028	omsecor.exe	34
PID 3028 wrote to memory of 2968	3028	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
"C:\Users\Admin\AppData\Local\Temp\87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
49441ae6cd63dc48982bb90c6fc560f3

SHA1
bcc9f49858f552a50260972d964dffac16b6e047

SHA256
d473faedcf37e08f71f3c709a7a20c7af00d20cb643333e1429a841a909ff5b1

SHA512
91042c38eba3ee02a8fb63e09031a276b3ac8facbab4e776811e11d21beb650af9465e8dcc404011df79c12851a4e95e2b7d7929fc7dd3eba1ad8341bc936927

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
6f0742dda9615f89331da8e2fab0f796

SHA1
80ba2d59dac3684101f0abac1481bb8c652593f1

SHA256
261cf7133a4f55df9cc3fc72cc58991bbd69789f9098e1064a058321b2e24ff3

SHA512
64e945e6acd96b291abd5fe3b9342b0474af9afae82b188bd23ebc6d1735c5b8a60654b43d8de3f0670ba286f894c86b1c1e837195b5b9e94cee61e3cbf0be3a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
22b16ae4d5bb01e3dd2f0d6617c7afa3

SHA1
8dbe9262767cf5591f906dcac57b383758e8f136

SHA256
c0afc6095133c0163667c7e02ddfc078ec9feb96dd2f16fa2a6794863e109a1e

SHA512
71ca13e70064103611a773238088cd1f6e57bfbc4dbd578671975f5b8fbc8fa9a19a4f2acd4322bd07f4213ab3e1aba6224de02875a05688ea739fa99fc69c3f

Download Submit
memory/2708-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2708-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-17-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/2868-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3028-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing