neconyd | fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67af

General

Target

fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67afN.exe
Size

33KB
MD5

a410c367e098e79280df3a7a9064f9b0
SHA1

fbd14dc76e2b2e7ac73fc710676e598ef4fe8c4b
SHA256

fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67af
SHA512

19b713dea81238e9b0155fba001481d6c15406067f442f58724921d8613ffafc7d7f9a6cd862808fe9512f68ae91eb5aceb512176fbb91058527919f013cd3e4
SSDEEP

768:8fVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7Dd:8fVRztyHo8QNHTk0qE5fslvN/956qo

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2280	omsecor.exe
3120	omsecor.exe
1380	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2280	3292	fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67afN.exe	83
PID 3292 wrote to memory of 2280	3292	fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67afN.exe	83
PID 3292 wrote to memory of 2280	3292	fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67afN.exe	83
PID 2280 wrote to memory of 3120	2280	omsecor.exe	100
PID 2280 wrote to memory of 3120	2280	omsecor.exe	100
PID 2280 wrote to memory of 3120	2280	omsecor.exe	100
PID 3120 wrote to memory of 1380	3120	omsecor.exe	101
PID 3120 wrote to memory of 1380	3120	omsecor.exe	101
PID 3120 wrote to memory of 1380	3120	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67afN.exe
"C:\Users\Admin\AppData\Local\Temp\fb26c05dacca15ee6c900d931ea4d65c9642cecbead7f334340d550844ad67afN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
ce1cadbe6943017a428963dd7ad61404

SHA1
ce15d54430cc3423314927bda6456d380ea20d6d

SHA256
74cd288a6f64c07ff56eac5f93201540b0740d9108f971aa14b7a02202a01ffc

SHA512
57c65519d4cc10b42046330089450fe6b59c8097aa5951fdc9ebd42ce71b80a09f21e87df509f0c0aad95954e80a8ae340fa224f6e682dd6e23a7f36d0585985

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
eee79a996952ce4a6ca4449c91a6199b

SHA1
5dc9e58f2cdcbf0a30bb75534169d03e10e14d6b

SHA256
f09fa55832e853eb8f2281c4150b0d5a4da11ef6824c8e0055f87b446597b8ce

SHA512
be247508c0028d04dfb614d86238a3001a8d073661caf4a04e203d852c6ae91d5e3522a1de6a5a987fa411826246c5547cd7d9f642ac08a15be79c0d24b67951

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
f59c0d57a26195b0f98f0da60c4f3ed5

SHA1
6497bf6b479a514b356e4d0745a56143c7930ea6

SHA256
213ba418c93d505b81b0d6118d20d5281870a35cf3e829ee7d47f62051d92252

SHA512
5af95dc6e23d230af36e761e2704408618252d9eba147e8cc2a938c200329bccab923c5e0de9f550d4a0b6fd9a27eee70d26fd45f057f5c79e427a6551bec581

Download Submit
memory/1380-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1380-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3120-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3120-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3292-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3292-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing