neconyd | f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47

General

Target

f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe
Size

76KB
MD5

3ec6bfba8944e2ba6b17cd488ec7eb17
SHA1

a290ba70e0fbb91ae287404f7eca37cbedca849f
SHA256

f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47
SHA512

d49d13ea2fcd6366c402feab6a25f5218282f05cdeda11ace102b7d9217d0b4f64d61affca9b9e3799b57fed643fd585a963d01584e2caefd7970582fc4a55f3
SSDEEP

1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:9dseIOMEZEyFjEOFqaiQm5l/5w11H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2888	omsecor.exe
2392	omsecor.exe
2860	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3064	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe
3064	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe
2888	omsecor.exe
2888	omsecor.exe
2392	omsecor.exe
2392	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2888	3064	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe	30
PID 3064 wrote to memory of 2888	3064	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe	30
PID 3064 wrote to memory of 2888	3064	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe	30
PID 3064 wrote to memory of 2888	3064	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe	30
PID 2888 wrote to memory of 2392	2888	omsecor.exe	33
PID 2888 wrote to memory of 2392	2888	omsecor.exe	33
PID 2888 wrote to memory of 2392	2888	omsecor.exe	33
PID 2888 wrote to memory of 2392	2888	omsecor.exe	33
PID 2392 wrote to memory of 2860	2392	omsecor.exe	34
PID 2392 wrote to memory of 2860	2392	omsecor.exe	34
PID 2392 wrote to memory of 2860	2392	omsecor.exe	34
PID 2392 wrote to memory of 2860	2392	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe
"C:\Users\Admin\AppData\Local\Temp\f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
dcc1b77be3caee9b36a00eca7e2c2b18

SHA1
a4f2ed3a8297d87ab1579bb580fb88d84244b691

SHA256
2cc3e3e129b4f43a9bee03fdd4f2566152c0b8541482641b24d3870fcd8451e6

SHA512
2622e6aa6882de6ebb31109cda9512d9763eb70f5f74b9c2e2fad41d46515bf37275d4edcd9e6bd6d99aac1b5bcf50e1bcefee53fc8d5d432ca311046847397b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
d84ecb40c785c8c373ae9d847b04b6b2

SHA1
9619f66be38c89962789e501444742008b39ad4c

SHA256
01dc12fe46bceb3e8ec467b051b3da2fcfc456f9333d3a2574dba8a2c1d33e7b

SHA512
c5f15552211f32c1515094089933c11db741946da17a141f0faa80f53a5dea5edc36c0de95773a81122ab5fd575d38bc84344be1c55fdfbe7290eec4e72a18d4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
1477a880136c60895fd1401b8347286f

SHA1
94635eaa9d5e15e91e15d1f7c0e1c93ccaf2eb47

SHA256
40a520b17a75d3b07f0fcec6dfc78b96dfc834ca9607002a4f443454259abfc8

SHA512
9621d968e31f91297776dfc814ba2a485540967e92f0f8f6d484d96ebb23f6d414cd6432f56c295a26647ada095572015112617189a078a72f15efa9884fc868

Download Submit
memory/2392-33-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2392-34-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2392-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-17-0x00000000004F0000-0x000000000051A000-memory.dmp

Filesize
168KB

Download
memory/2888-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3064-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3064-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing