neconyd | 966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12a

General

Target

966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe
Size

64KB
MD5

306ed1a1937afa4e0e77782c39609100
SHA1

bfca77b9ee2c2ddf46e1c10ebe1671d9cb9c414c
SHA256

966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12a
SHA512

1a9528ebe76e8415993b969f17797e81072a52f115796deddb7ac0fe8384a7364d18d86df5ada5c9c8a3dc81e566ad3772ea48eba620b0df38fd32d886fa0a9a
SSDEEP

768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:mbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2548	omsecor.exe
1832	omsecor.exe
1484	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1732	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe
1732	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe
2548	omsecor.exe
2548	omsecor.exe
1832	omsecor.exe
1832	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2548	1732	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe	30
PID 1732 wrote to memory of 2548	1732	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe	30
PID 1732 wrote to memory of 2548	1732	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe	30
PID 1732 wrote to memory of 2548	1732	966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe	30
PID 2548 wrote to memory of 1832	2548	omsecor.exe	33
PID 2548 wrote to memory of 1832	2548	omsecor.exe	33
PID 2548 wrote to memory of 1832	2548	omsecor.exe	33
PID 2548 wrote to memory of 1832	2548	omsecor.exe	33
PID 1832 wrote to memory of 1484	1832	omsecor.exe	34
PID 1832 wrote to memory of 1484	1832	omsecor.exe	34
PID 1832 wrote to memory of 1484	1832	omsecor.exe	34
PID 1832 wrote to memory of 1484	1832	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe
"C:\Users\Admin\AppData\Local\Temp\966ccc7a4e7d8fb470cc87f71b2d39c366531d8bc58bb64916a6b82d97c5b12aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
2773fd55dafda27a8b1b4aa2011c7d71

SHA1
eea81e24a3397304a29d5f5231e3b0399575d3be

SHA256
01952c51371fd06cd13914da4a57007489ddeeadc7bbf72166e5f9cf3110cb5e

SHA512
dd64c80b50046e9b706f06137e243227489692aa0c599ca4957272df8d556924226fce8d82f8c803a06ba01d5b37417e77f2e59daf0439fb1bb51362bccb62c7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
6ba7ef0e1a247081a7daa9f6bb3b9010

SHA1
501ab0fa6dde8fe499c1681a618420c5828a9e41

SHA256
4751a851672e0ec72a74365f81b0785351a71059323cb7f28a42134b6f45fdce

SHA512
5a9b2e56a12cd345cbe68207eacbb44e4a5b8d91d322a077a5d8b15606047c7d90ed4175edead67d2f76751505c8f0cac7ff5b3375df7341100c0990765853f1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
a9d8df921efb645b7cfd555541d3dce5

SHA1
7f8bc5ac72792de92ddec40c51993b05ca37ed6e

SHA256
6a9e54cb58c3d75648027371be7c5d8658740b242e79d8dce6f4f1d28317ad26

SHA512
43ca547cd03c8065f5f3191ec8cc53c3d14c847167110ea899f5e4a2906fbc5bab36f3ef22881de211f779d0db3d1f82cefb0dd5628081d2550bd0fee9c259cb

Download Submit

Analysis

Sharing