neconyd | b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8

General

Target

b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe
Size

76KB
MD5

7558ffb530e028c740a509698c85c257
SHA1

4d716b78cf0fb491b10e7523b51f793f69d7ab6f
SHA256

b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8
SHA512

13aca0ec59c3a1d9c0f117f63d8dd62040df2580f88721246a1ce0511afc344e64dc49c18ddf32ced7ba0b4d36639949fdbc37790d767f25a05d20f4d3af0182
SSDEEP

768:BMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWZ:BbIvYvZEyFKF6N4yS+AQmZTl/5OZ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2364	omsecor.exe
2028	omsecor.exe
1044	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1440	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe
1440	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe
2364	omsecor.exe
2364	omsecor.exe
2028	omsecor.exe
2028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2364	1440	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe	30
PID 1440 wrote to memory of 2364	1440	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe	30
PID 1440 wrote to memory of 2364	1440	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe	30
PID 1440 wrote to memory of 2364	1440	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe	30
PID 2364 wrote to memory of 2028	2364	omsecor.exe	33
PID 2364 wrote to memory of 2028	2364	omsecor.exe	33
PID 2364 wrote to memory of 2028	2364	omsecor.exe	33
PID 2364 wrote to memory of 2028	2364	omsecor.exe	33
PID 2028 wrote to memory of 1044	2028	omsecor.exe	34
PID 2028 wrote to memory of 1044	2028	omsecor.exe	34
PID 2028 wrote to memory of 1044	2028	omsecor.exe	34
PID 2028 wrote to memory of 1044	2028	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe
"C:\Users\Admin\AppData\Local\Temp\b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
0563ba8dfff8d6ff48c05b27bcc36eed

SHA1
3c4f91d3988992ed9e2913979093a3d14fb4b75c

SHA256
57cd373c28d36bb286c2723c00212bf8f8dde8909cf60f5787a07c0a6f608376

SHA512
f3d2b2d7c17a0e5c56bad4854ecbb2ee29ba73489fe2438d9d3fd6e399d57964aae989d811030b17a42962868978e409dac582802f2c786c881518371a44e5cd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
1e8668d71d20ecaf218dc93188ed0a40

SHA1
c0ea35de324d5a04c7a4969af4f66cdda26453d5

SHA256
d8ff598ad81a892e2ac18f9d364567a0caf74178e5a22c99896fa6f937f71f08

SHA512
2fd7387429435e51693f7372b52d04bc59fb03bdf17ce5569034b9224c182ef8ec6a277d475390379ae59bf0e3201aa82501ef36efa21f21a907c020afc23f59

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
6f074ae01ab602e64f84688caa02d0e4

SHA1
7f062eedc4886ef43d61a0d3fd24580b1092c423

SHA256
87b91579d1f9ee42fbe74445fa47665fa74d413abb694c8e2a3e6554487d709b

SHA512
19adcfd8e6378067d2fe86156600d227f7a778bfc0f6fead0bb096a80e68d9736510d22da05adcb9d878ef33c61d3ea175668e0d1c059581c14f83d75605df47

Download Submit

Analysis

Sharing