neconyd | 2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1

General

Target

2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
Size

61KB
MD5

d8b6d1e5d8f4a0a2502cb88b05946362
SHA1

65266340274f3786fe7174758b488abd11b2cc77
SHA256

2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1
SHA512

af48816b149d55d60e851f2d6714e200d1a16808bad51c9be2c2f044b62a8be7564554c69f1478b487d7af87a8852c404aad78d22243b979a58d4e22f067cf72
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:kdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2716	omsecor.exe
2360	omsecor.exe
2916	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1524	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
1524	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
2716	omsecor.exe
2716	omsecor.exe
2360	omsecor.exe
2360	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2716	1524	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	30
PID 1524 wrote to memory of 2716	1524	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	30
PID 1524 wrote to memory of 2716	1524	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	30
PID 1524 wrote to memory of 2716	1524	2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe	30
PID 2716 wrote to memory of 2360	2716	omsecor.exe	33
PID 2716 wrote to memory of 2360	2716	omsecor.exe	33
PID 2716 wrote to memory of 2360	2716	omsecor.exe	33
PID 2716 wrote to memory of 2360	2716	omsecor.exe	33
PID 2360 wrote to memory of 2916	2360	omsecor.exe	34
PID 2360 wrote to memory of 2916	2360	omsecor.exe	34
PID 2360 wrote to memory of 2916	2360	omsecor.exe	34
PID 2360 wrote to memory of 2916	2360	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe
"C:\Users\Admin\AppData\Local\Temp\2fca2f09936cea6367410846cc006cf2afb3ebe9cd89e36d9e12f4f41501e6b1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
5352975a664ecc85d9f610839f3cc3f1

SHA1
8d2818c9217ad3ebed0f005c84eb2015d73a6023

SHA256
4f7f4ebd2f55f2d1e3abff84adaf6618f8c99ffbe9b467e1caf1eac10ebaba9a

SHA512
979cd5a6b5b494bedf2dfeeef82bc7f22fb3060b1afc5f491139b4ee1c8b22702eb8672d831d640c0da81addbcea68c0ad1b32745b276561c02425395179fbc0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
5801d7960a15a8889d0b48723c823bb1

SHA1
2c32f096fece0f613a4172d1f3cb8e4857c88bd3

SHA256
47bf406084d14ed233933232e9f5bfc0eb41a425d5a4108c709eb32d84653c1e

SHA512
6e37eae56406f9b8fa0c90547849199651e51f82089c2313468efede2243a5063ecf90190ad296c16c336ad548ea51761c8e722c5c038a6bb3223d9ec8a88e06

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
e8941e1b4957d0b284624f796bc83294

SHA1
22862d58068620ae102dbfb4ff45819bf5a6deb1

SHA256
b16b0700cb6a0697853d120daeaeb6c8f0465bc11989ac92b58ae5a8264dcf11

SHA512
97efc9a55bef681636d5cd1ba5752909309cc51c58ba5c973d47f1f323bc63a060334c094fae8ee6490222be6775b5a913a17c556d52681bef166649db7225fe

Download Submit

Analysis

Sharing