neconyd | 2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d

General

Target

2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe
Size

72KB
MD5

c70ba8999aebb0e1aff0753892cf6d2f
SHA1

f278750c11b8c996ebad4863300f3fe9c266339c
SHA256

2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d
SHA512

609c0e5ca36102e3effe8f9108af4afd2ded4713a64bf8750da546f97c552456aeba268fae6575b153499acbd098f41586b618ed9f14b03b7804fcce52be37c9
SSDEEP

1536:Vd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211X:ddseIOMEZEyFjEOFqTiQm5l/5211X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1964	omsecor.exe
1892	omsecor.exe
1932	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2988	2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe
2988	2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe
1964	omsecor.exe
1964	omsecor.exe
1892	omsecor.exe
1892	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1964	2988	2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe	31
PID 2988 wrote to memory of 1964	2988	2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe	31
PID 2988 wrote to memory of 1964	2988	2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe	31
PID 2988 wrote to memory of 1964	2988	2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe	31
PID 1964 wrote to memory of 1892	1964	omsecor.exe	33
PID 1964 wrote to memory of 1892	1964	omsecor.exe	33
PID 1964 wrote to memory of 1892	1964	omsecor.exe	33
PID 1964 wrote to memory of 1892	1964	omsecor.exe	33
PID 1892 wrote to memory of 1932	1892	omsecor.exe	34
PID 1892 wrote to memory of 1932	1892	omsecor.exe	34
PID 1892 wrote to memory of 1932	1892	omsecor.exe	34
PID 1892 wrote to memory of 1932	1892	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe
"C:\Users\Admin\AppData\Local\Temp\2d7fdb3e9cafb9ead3620b111f374d109a587ac2e9d03392cf79b248bbfc6b5d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
748b2874c8bbfd68cc45ba2a99ddcc3d

SHA1
f72370d44b14dbeb1f575b4f5cdb0682ded9ce23

SHA256
ed8dc9935e85e7886467be753e47c17d289217a217530887789c02167824a5e8

SHA512
6f291dd723ce546334c030ae5e4a1e87338016dc8ab6f3931ea6da62ce9e95c2e3cd4416c6a53f6303d46236b90d92d7d5585054336d1e2aae32d1a49b9550de

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
436341fca86dcfe88f6225e10bffddf2

SHA1
13c6b96ca159af4f81ed9edaa973df4619f18154

SHA256
07fb82884de3a8e1d26ff9ded1a08428785bfa29a88b70344fbcb436490bcda3

SHA512
6d376b3da14d834c48c2b85cc6e033989c390cc73174ae29e82c2e6a54092e3cefdf9ca292314a8cd71439103dcc51fce495078d3559a127bbc1a6d8ef8b1904

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
28160463c5cc5ddd549fc89180cb9be3

SHA1
cd4100fa5d615bda3970aaad92801d848e27a505

SHA256
85e624e5951997c4c7bd0cc7ee75edd453bb8307219730378a70507f8c9b5fe1

SHA512
36eec01dc7864c7c314478307e8cbf061cd5201ad15b311eda2bbd7de7e3648ee634bed66eccd17df7426233a2abe21a8344404c9db939e7907a6db5800890d7

Download Submit

Analysis

Sharing