neconyd | 8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488

General

Target

8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
Size

65KB
MD5

604765030c1e27ffb16c2845b8ecbffd
SHA1

3d627af1c443c50ee1fc3bcdc4f583b8912b1820
SHA256

8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488
SHA512

80bb3e2b412f202f10a185fc0321ea6413d9153194387aca2d402b0af028c6069382d8e07ae2888b4f721e6812e0c255181c9208c2933b5202f44d17c12dc955
SSDEEP

1536:Bd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzV:xdseIO+EZEyFjEOFqTiQmRHzV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2356	omsecor.exe
700	omsecor.exe
708	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1512	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
1512	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
2356	omsecor.exe
2356	omsecor.exe
700	omsecor.exe
700	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2356	1512	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe	30
PID 1512 wrote to memory of 2356	1512	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe	30
PID 1512 wrote to memory of 2356	1512	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe	30
PID 1512 wrote to memory of 2356	1512	8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe	30
PID 2356 wrote to memory of 700	2356	omsecor.exe	33
PID 2356 wrote to memory of 700	2356	omsecor.exe	33
PID 2356 wrote to memory of 700	2356	omsecor.exe	33
PID 2356 wrote to memory of 700	2356	omsecor.exe	33
PID 700 wrote to memory of 708	700	omsecor.exe	34
PID 700 wrote to memory of 708	700	omsecor.exe	34
PID 700 wrote to memory of 708	700	omsecor.exe	34
PID 700 wrote to memory of 708	700	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe
"C:\Users\Admin\AppData\Local\Temp\8718ffa486339a42ac3aff0020c6c3f0574f0ca75b627016402a9a3d7bd1c488.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
3227b7de0cc359584baad0495fd4afd5

SHA1
2d3c0581537fb466ef47a23e56e6301bc13687a3

SHA256
0fc3cf8e661ce29fdd951ac43ed1a664a143af057e58914cb3517c28a761eb18

SHA512
e6248373848017d1218915ba6342e7c8ec5ded1051547ae71cb44b1e5d4e5bb6a020b35e92343353e36fcbd1f532ba274997ac65ca10653ddfaafdb54cd5f67b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
c61391d38ec3fda7727c6c9a679101bb

SHA1
e26044d505aa38d277929b4997aa5ef03634bb4a

SHA256
466b1e000dcd9498cbc5173b47d8ba0ee1a88890cca2a983db663a7250aa01ea

SHA512
fd3cd4d5164ccc609b620c9bc7b172e90f64cbbaa1a11da13c19a99a38f489a3825027a180ba5803bc1226c4be47badb6bfe11987cf86e8f81a7ee422a7fb8d6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
09c0bb6b5887d04ed0ec584f95ecfb3a

SHA1
45e25f35cf86c152a2f367c6ff3e36eca8079ca9

SHA256
7de830457a9984369d11e2d186e6b8cfebc95d435df79eabcac4412e34a562c6

SHA512
a0edf88995cf8bb111c8a217285860a51b5e6fec42385ffd6959650b672ffff95d022fb2ff9aaba581476e938ea8f39f0a11bd3d48c3bb878502478154bdbafa

Download Submit
memory/700-37-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/700-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/708-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/708-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1512-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1512-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2356-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2356-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2356-17-0x0000000000330000-0x000000000035A000-memory.dmp

Filesize
168KB

Download
memory/2356-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing