neconyd | 2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1

General

Target

2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
Size

61KB
MD5

d8b6d1e5d8f4a0a2502cb88b05946362
SHA1

65266340274f3786fe7174758b488abd11b2cc77
SHA256

2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1
SHA512

af48816b149d55d60e851f2d6714e200d1a16808bad51c9be2c2f044b62a8be7564554c69f1478b487d7af87a8852c404aad78d22243b979a58d4e22f067cf72
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:kdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2632	omsecor.exe
1676	omsecor.exe
1684	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2244	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
2244	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
2632	omsecor.exe
2632	omsecor.exe
1676	omsecor.exe
1676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2632	2244	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	30
PID 2244 wrote to memory of 2632	2244	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	30
PID 2244 wrote to memory of 2632	2244	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	30
PID 2244 wrote to memory of 2632	2244	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	30
PID 2632 wrote to memory of 1676	2632	omsecor.exe	33
PID 2632 wrote to memory of 1676	2632	omsecor.exe	33
PID 2632 wrote to memory of 1676	2632	omsecor.exe	33
PID 2632 wrote to memory of 1676	2632	omsecor.exe	33
PID 1676 wrote to memory of 1684	1676	omsecor.exe	34
PID 1676 wrote to memory of 1684	1676	omsecor.exe	34
PID 1676 wrote to memory of 1684	1676	omsecor.exe	34
PID 1676 wrote to memory of 1684	1676	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
"C:\Users\Admin\AppData\Local\Temp\2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
5352975a664ecc85d9f610839f3cc3f1

SHA1
8d2818c9217ad3ebed0f005c84eb2015d73a6023

SHA256
4f7f4ebd2f55f2d1e3abff84adaf6618f8c99ffbe9b467e1caf1eac10ebaba9a

SHA512
979cd5a6b5b494bedf2dfeeef82bc7f22fb3060b1afc5f491139b4ee1c8b22702eb8672d831d640c0da81addbcea68c0ad1b32745b276561c02425395179fbc0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
ef35f1f5668760ced5444fa4946d9786

SHA1
4df4284e110173ec36af67b060ca03f4c0180cc5

SHA256
3dcc0ca580991e5d2519723be405a3d9a5de6ca890e779a90258029a54886409

SHA512
6450057d24188328877af4b13ae7880e0125017ead2f501fb42217d852323d3c752c1178338d25c68676a3ffe23ace6877980fd048bf07faef680ff416e059f8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
86c40dd7cd5483a30ccc49f578cd72e9

SHA1
14c13750c15c52e8004d81af1bd5db67dc2ff1a3

SHA256
46bd21acbd50200fa1acf1e2aec44bc801c06a25be1a48f97b8de5ba118900fa

SHA512
3f35b1639fcd570a27c39488feff9e2ac5714546f08859d38f5d5172cf829d307acdad5f2dfbd9240bd47ae5de48ab4a273f72152dee419d78746f9e68456f71

Download Submit

Analysis

Sharing