neconyd | b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c

General

Target

b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Size

65KB
MD5

e4ff0fdaf9755cdf8427bb42af18c3d8
SHA1

11ddbf277b764f01345aa299c75224defe885ada
SHA256

b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c
SHA512

2c7f97f96e3268985e096424f0f4ea568dd70eb2bc2a2f16048e7bb9cdcc63e34f438d41b9da31e3852237012745e5eb6ac264732aadf08c942765f5bb5aa606
SSDEEP

1536:Md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzf:0dseIO+EZEyFjEOFqTiQmRHzf

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
788	omsecor.exe
2100	omsecor.exe
1528	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2120	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
2120	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
788	omsecor.exe
788	omsecor.exe
2100	omsecor.exe
2100	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 788	2120	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	30
PID 2120 wrote to memory of 788	2120	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	30
PID 2120 wrote to memory of 788	2120	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	30
PID 2120 wrote to memory of 788	2120	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	30
PID 788 wrote to memory of 2100	788	omsecor.exe	33
PID 788 wrote to memory of 2100	788	omsecor.exe	33
PID 788 wrote to memory of 2100	788	omsecor.exe	33
PID 788 wrote to memory of 2100	788	omsecor.exe	33
PID 2100 wrote to memory of 1528	2100	omsecor.exe	34
PID 2100 wrote to memory of 1528	2100	omsecor.exe	34
PID 2100 wrote to memory of 1528	2100	omsecor.exe	34
PID 2100 wrote to memory of 1528	2100	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
"C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
2d5bd3dce6f14d2eab84577671caeb66

SHA1
fea6bd7357c8e8b5a3925c4d59587874a105069a

SHA256
e27643a3e55f62d32164ff8e6f9be9962fe72525109030332fd4bd7d222795ed

SHA512
162f0fa11713d4dbb3498dd30d65e44a070e36658df8c13576c04c54d2533a335ca9ae3c1a3d41fb42a90299d85118eacd495bdbdc0a1d79c4330dc666c0ef8c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
5f5cfdf7f19818afdf8bdabcd85b28bc

SHA1
91e29fe3f96f6484cebfe8430788d091b0b438d5

SHA256
df4816b0eb7c9235454e1bba0c02737f42c5ce211b5d4b0fa31043fe25ae562d

SHA512
6fc29f96cfaddf7f74ab0648b87bc613e29eb94d3c3d1f4845dfc05861911f4d9e914e45640bcdedec54a9c5baa6304273a8a61888b6100ef7a059dd3e39048e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
2d49086e82980ace18e8a77a90584f7d

SHA1
f561dde978d925b4cac9d76d14929186a57fe277

SHA256
adf7bb2cfb3ab8968f3f80f9aa26ff591286f46ae4d29ccaa63baf134a827e79

SHA512
194b60e7489443d66eaa93ce7c30eda6e75e6d8951ed809595014fcc03de11cfc56003af3860f81364b90c42398ee8bd6e045537a40730ff90744f53090517ec

Download Submit
memory/788-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/788-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/788-17-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/788-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1528-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1528-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2100-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2120-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2120-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing