neconyd | fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf

General

Target

fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
Size

92KB
MD5

8dd4e855465f49a4ae7d98fbc238697b
SHA1

eb2b09e71c5a46cc7114f2d21d1ee38d4d472186
SHA256

fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf
SHA512

76e5ca371ee47db26427334025348dce7049b301552077bd0f23256161d047985141cba971f1440ac30f031fba981a3fc259e25f202c1c8bcb0e810de8bad2ea
SSDEEP

1536:Kd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5d:KdseIOyEZEyFjEOFqTiQm5l/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2208	omsecor.exe
2868	omsecor.exe
2972	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2292	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
2292	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
2208	omsecor.exe
2208	omsecor.exe
2868	omsecor.exe
2868	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2208	2292	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	30
PID 2292 wrote to memory of 2208	2292	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	30
PID 2292 wrote to memory of 2208	2292	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	30
PID 2292 wrote to memory of 2208	2292	fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe	30
PID 2208 wrote to memory of 2868	2208	omsecor.exe	33
PID 2208 wrote to memory of 2868	2208	omsecor.exe	33
PID 2208 wrote to memory of 2868	2208	omsecor.exe	33
PID 2208 wrote to memory of 2868	2208	omsecor.exe	33
PID 2868 wrote to memory of 2972	2868	omsecor.exe	34
PID 2868 wrote to memory of 2972	2868	omsecor.exe	34
PID 2868 wrote to memory of 2972	2868	omsecor.exe	34
PID 2868 wrote to memory of 2972	2868	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe
"C:\Users\Admin\AppData\Local\Temp\fc511801d971a1a5af8305d98ebfeab294724a3ec219a3104940c17492e9c4cf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
6ed7e47bf3ddb73f7324ca3b6a40808a

SHA1
82229332394f647bb7067d3c86ec80fd76dbe9e5

SHA256
ec7c2928b644a907c67eae1c6eca7d72efa2d08bf64082e23844ee41cff67dc7

SHA512
1258a7d92ba96d0c449d02c575b195e207f7ce33c6074c9ba1b8cc86da2b9266da3599b07a5e9d14f173d6027961ce00f0e74addb48ca32e35365977534ebd77

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
b40b890e60357bdb7e22ab3d85c42ec1

SHA1
d2985447a8695539b1f11c925eece7f201012c52

SHA256
c172b933622115fcc497917a4cf8e9751c1da7f3bfad246c011ccb29bff7d615

SHA512
4542df1b9a2232a5492516737d5b71128b00f85d98fe7d6ecf8d6f1d4022c38eb04a8ab0958ac2bc735cced44acc7ea55f60c33da2cbf3feea1b5819247d7771

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
2579582ac062054e7eb0042617c9a82d

SHA1
c213a877f29d57553db400573dbb0a40cbfbb809

SHA256
b4e0d53e9734b6d3bea6c2beb946408a3d192f877ae6ee3672e870e6086702bd

SHA512
d0271d7305a60fe1c18e3fffd6e2aefea43162e4af7f5b13311a79e0605fb3c4014f4b8f3bfff5e332eda01a5a9cc86b9f976fe2eff65e596f71cf1d89834275

Download Submit
memory/2208-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2208-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2208-16-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/2208-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-9-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2868-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2972-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2972-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing