neconyd | fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b

General

Target

fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe
Size

33KB
MD5

d3f0cf406da9136839b1e44fe2f893d4
SHA1

50e893170eb84751f4dd73c0999a070ca9b76119
SHA256

fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b
SHA512

66aa4b677c1c928f48ddb67238b73ceb65231c023c515b8ce8c7b0d4cd8b0e71b66bdb12e074f9ed0f3a4cbf2762c91e71fca7b5c32d82555d11cb8907faae8a
SSDEEP

768:LfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7Dj:LfVRztyHo8QNHTk0qE5fslvN/956qg

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2364	omsecor.exe
2276	omsecor.exe
1836	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe
1740	fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe
2364	omsecor.exe
2364	omsecor.exe
2276	omsecor.exe
2276	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2364	1740	fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe	30
PID 1740 wrote to memory of 2364	1740	fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe	30
PID 1740 wrote to memory of 2364	1740	fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe	30
PID 1740 wrote to memory of 2364	1740	fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe	30
PID 2364 wrote to memory of 2276	2364	omsecor.exe	33
PID 2364 wrote to memory of 2276	2364	omsecor.exe	33
PID 2364 wrote to memory of 2276	2364	omsecor.exe	33
PID 2364 wrote to memory of 2276	2364	omsecor.exe	33
PID 2276 wrote to memory of 1836	2276	omsecor.exe	34
PID 2276 wrote to memory of 1836	2276	omsecor.exe	34
PID 2276 wrote to memory of 1836	2276	omsecor.exe	34
PID 2276 wrote to memory of 1836	2276	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe
"C:\Users\Admin\AppData\Local\Temp\fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
bda0144dd27c24e62b4b297335b54457

SHA1
271a84cb22521148c4885f3363cfe83d74e9cd53

SHA256
c46ae14328aa619df6c3e20b4cc284af6187e314ffca154eb51d78316cc862c9

SHA512
5e704e914656a5d5ec7f3dfeaa7d5a8a1e5603372aa83574ae759585a8315d67228a8cb054bb45c22bde76b6edd6fdb134eb2eb4245dfc5432b989b450cf40fa

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
f23d98f6c76adc0dfb361e85325ae672

SHA1
2f0d489756448cd85b17c47a1beb0e4712e1b71a

SHA256
db6a51d2a4e85cea1f06673e0483c826ec378846a46d28cf6b2caa70edcd4529

SHA512
6affa7115d6bdaaa98c17aee4b03b9f7bbec626e29ff2922f8565c9671322f5b72cd98de4c1a357ec888e53de4bc95a93a5608a0a9d66214ebc68c99dc61635b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
7af60394ad210d3e703bc973b34327ed

SHA1
e67a9cbaad7e83a3ad0ae780aed2e73914da1930

SHA256
fea4ea484d447f03c5a70ea3b20c90c1eddc95fea4739d1e8cb323a3190ddc5f

SHA512
abfef0423e09287110b79242b43bec5aefd5caef76bada7778f538330372dc666d7e9a9a1eb338448dabd41e3e9ebe3dcc0c1874fa964aa46504c5af9688bbe1

Download Submit
memory/1740-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1740-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1836-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2276-46-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2276-48-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2276-40-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2364-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-32-0x0000000000470000-0x000000000049A000-memory.dmp

Filesize
168KB

Download
memory/2364-27-0x0000000000470000-0x000000000049A000-memory.dmp

Filesize
168KB

Download
memory/2364-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing