neconyd | 2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed

General

Target

2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe
Size

80KB
MD5

877a17ef2cd38227583444233ece0684
SHA1

89e4cec63d23f58fce25fa07595ae3d434605ae6
SHA256

2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed
SHA512

67ed4735109cce0dcecd5ec525ccf394ec470b6f152b59617b18a40b9d3a4c9d6491fa190c3eb3f28db89ab6e2c16426d8897d32272bc452470f69f9ac883f94
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:TdseIOMEZEyFjEOFqTiQmOl/5xPvwv

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2912	omsecor.exe
2536	omsecor.exe
1488	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2072	2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe
2072	2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe
2912	omsecor.exe
2912	omsecor.exe
2536	omsecor.exe
2536	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2912	2072	2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe	30
PID 2072 wrote to memory of 2912	2072	2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe	30
PID 2072 wrote to memory of 2912	2072	2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe	30
PID 2072 wrote to memory of 2912	2072	2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe	30
PID 2912 wrote to memory of 2536	2912	omsecor.exe	33
PID 2912 wrote to memory of 2536	2912	omsecor.exe	33
PID 2912 wrote to memory of 2536	2912	omsecor.exe	33
PID 2912 wrote to memory of 2536	2912	omsecor.exe	33
PID 2536 wrote to memory of 1488	2536	omsecor.exe	34
PID 2536 wrote to memory of 1488	2536	omsecor.exe	34
PID 2536 wrote to memory of 1488	2536	omsecor.exe	34
PID 2536 wrote to memory of 1488	2536	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe
"C:\Users\Admin\AppData\Local\Temp\2b77d1a84b988d7648580aa4348c2416c485508941b6e60a31b17fe42915beed.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
a7a5ca98e7bebdc3514439aa241cd0b3

SHA1
1c3bcc694dc7414e2477562cb75ef6dd8066372c

SHA256
64da2fb5065e4bad9065c7524250227e24efa7b8b47f0818b111a1527f689eb3

SHA512
7e9bbc1a300bc0dfaf19dfcbce78aa4f7101a2269da32a9445b5b9827cbd958e57a4b0acb9f60c1492dcea6d295c026859f9262da2fa9b23e5ae26e5ee8e3210

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
026907a8da7166fac367bc7df8e7763d

SHA1
2582123d6fcbdfd4697b202276662fd2e5bc3a78

SHA256
36d9bd4fc7fafb386aebfe30b062c3c8ab737e476c21f69ffea507d782ffe153

SHA512
0e2f0cb471989abc8cd9aca443ebb8450aaf2d69c4b54ef58d64c2d72a69d7e313a0726cac75eee99b79f25926fb2e9b565a806eef8c073b4f551e020cdbd6ce

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
8ae8a7e70cdf869a4bd06ffb432344b3

SHA1
76c9aa2ee7f1814b0c5965d33ee2eb6f82f5cd56

SHA256
b05f57f4d3c77fb00aa7752ff5dde53c768ed53d2f0863030b0512dce0635912

SHA512
f23b9e6c939d3bf1102f359f5059b03d685ec7991fe20805c30681e1540649834d05beb0e3ac6a4e6cd7a287650390393d13103a2788c46110c39c0391097262

Download Submit

Analysis

Sharing