neconyd | b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c

General

Target

b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Size

65KB
MD5

e4ff0fdaf9755cdf8427bb42af18c3d8
SHA1

11ddbf277b764f01345aa299c75224defe885ada
SHA256

b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c
SHA512

2c7f97f96e3268985e096424f0f4ea568dd70eb2bc2a2f16048e7bb9cdcc63e34f438d41b9da31e3852237012745e5eb6ac264732aadf08c942765f5bb5aa606
SSDEEP

1536:Md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzf:0dseIO+EZEyFjEOFqTiQmRHzf

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
772	omsecor.exe
1252	omsecor.exe
2052	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
352	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
352	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
772	omsecor.exe
772	omsecor.exe
1252	omsecor.exe
1252	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 772	352	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	30
PID 352 wrote to memory of 772	352	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	30
PID 352 wrote to memory of 772	352	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	30
PID 352 wrote to memory of 772	352	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	30
PID 772 wrote to memory of 1252	772	omsecor.exe	33
PID 772 wrote to memory of 1252	772	omsecor.exe	33
PID 772 wrote to memory of 1252	772	omsecor.exe	33
PID 772 wrote to memory of 1252	772	omsecor.exe	33
PID 1252 wrote to memory of 2052	1252	omsecor.exe	34
PID 1252 wrote to memory of 2052	1252	omsecor.exe	34
PID 1252 wrote to memory of 2052	1252	omsecor.exe	34
PID 1252 wrote to memory of 2052	1252	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
"C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:352
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
5f5cfdf7f19818afdf8bdabcd85b28bc

SHA1
91e29fe3f96f6484cebfe8430788d091b0b438d5

SHA256
df4816b0eb7c9235454e1bba0c02737f42c5ce211b5d4b0fa31043fe25ae562d

SHA512
6fc29f96cfaddf7f74ab0648b87bc613e29eb94d3c3d1f4845dfc05861911f4d9e914e45640bcdedec54a9c5baa6304273a8a61888b6100ef7a059dd3e39048e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
7b10b734f365dc866f30bbbb2bd10207

SHA1
d10758b5123e475fbf0b45df59e25b06d6ae8656

SHA256
6b9acb671e6f32c0c0db438c7b499f08b72dac766370d0fdcbd8121adb41856c

SHA512
3df8124e0e69b817b7fa7fd5827a4d0dfc223b0d60e67ffea2682c65434f6cc549b55476572e145e3e6b1e94a104d5578bbbf8f08c413e0321d5c12546bbfd76

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
8ebbeb464d6412d87c59d1b6904006c1

SHA1
eda20b5e19ffb7eaa2aa17251e4eb61b2450a333

SHA256
8f6528d4895c2530806d2e83d39ffb3ebe6220077e1468edd72ace9e44a6ee5d

SHA512
e73f3f509f61d653d8d0af9524d203a2c64a3310a82635c96550d53900ee64035d7569ef9ac5de840018a314746c1ea046eeeb8917b456f8f2772fce7d457cfe

Download Submit
memory/352-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/352-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/352-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/772-19-0x0000000001FA0000-0x0000000001FCA000-memory.dmp

Filesize
168KB

Download
memory/772-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/772-24-0x0000000001FA0000-0x0000000001FCA000-memory.dmp

Filesize
168KB

Download
memory/772-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/772-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1252-30-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1252-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1252-34-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2052-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing