neconyd | fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf

General

Target

fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
Size

92KB
MD5

8dd4e855465f49a4ae7d98fbc238697b
SHA1

eb2b09e71c5a46cc7114f2d21d1ee38d4d472186
SHA256

fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf
SHA512

76e5ca371ee47db26427334025348dce7049b301552077bd0f23256161d047985141cba971f1440ac30f031fba981a3fc259e25f202c1c8bcb0e810de8bad2ea
SSDEEP

1536:Kd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5d:KdseIOyEZEyFjEOFqTiQm5l/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2896	omsecor.exe
1232	omsecor.exe
2780	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1548	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
1548	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
2896	omsecor.exe
2896	omsecor.exe
1232	omsecor.exe
1232	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2896	1548	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	31
PID 1548 wrote to memory of 2896	1548	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	31
PID 1548 wrote to memory of 2896	1548	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	31
PID 1548 wrote to memory of 2896	1548	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	31
PID 2896 wrote to memory of 1232	2896	omsecor.exe	34
PID 2896 wrote to memory of 1232	2896	omsecor.exe	34
PID 2896 wrote to memory of 1232	2896	omsecor.exe	34
PID 2896 wrote to memory of 1232	2896	omsecor.exe	34
PID 1232 wrote to memory of 2780	1232	omsecor.exe	35
PID 1232 wrote to memory of 2780	1232	omsecor.exe	35
PID 1232 wrote to memory of 2780	1232	omsecor.exe	35
PID 1232 wrote to memory of 2780	1232	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
"C:\Users\Admin\AppData\Local\Temp\fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
b40b890e60357bdb7e22ab3d85c42ec1

SHA1
d2985447a8695539b1f11c925eece7f201012c52

SHA256
c172b933622115fcc497917a4cf8e9751c1da7f3bfad246c011ccb29bff7d615

SHA512
4542df1b9a2232a5492516737d5b71128b00f85d98fe7d6ecf8d6f1d4022c38eb04a8ab0958ac2bc735cced44acc7ea55f60c33da2cbf3feea1b5819247d7771

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
4a6806b3e46f408c415295758f93bb11

SHA1
83ee0fb46c35afbc7ee372c55574f204d15c4a27

SHA256
b265faacc15650da79386e7b54135c8ec7680b47a3eda8d7a03b99694921d1df

SHA512
57f51a5365db8686962e69ce86ccc369b29e36994116793d77087831f5812c5f041578a0cbb6d29bfbe534efbc12f7048b8d4a7f2f365bcc16a3fc294a31c81d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
2998c2f6a809b5d4c2c14037f7f655bd

SHA1
33286dfe2b4925d0d8da310a605abd26596c9667

SHA256
fa2e710f35d3cc4551486550b2ac155b5e049dd140c1f5fb6d0b3b17d9633a2a

SHA512
a1ddd28dbaa8dbe8ac62df86c380a4f17d3e8b48daa31086f2024aefbf77690dd2dc285238beb483ee34dc03bd843b72f4464138313a8115dac2a1574477d8f8

Download Submit
memory/1232-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1232-32-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1232-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1548-9-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1548-3-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1548-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1548-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2780-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2896-24-0x0000000002250000-0x000000000227B000-memory.dmp

Filesize
172KB

Download
memory/2896-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2896-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2896-23-0x0000000002250000-0x000000000227B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing