neconyd | bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dc

General

Target

bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe
Size

88KB
MD5

1f123d1bb837605fc66f5c41e513fef0
SHA1

3d745d2e5ac0949e3b14bc9106149e65715ea3f6
SHA256

bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dc
SHA512

a65677d262465aca8c23cc240f0505e3ae11237d4729562e275487a3cfa71a4da6e0efc82c5739e44e4e4e3b3a32b3543321cb45959ed898ae148d8f49678b83
SSDEEP

768:ZMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:ZbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2488	omsecor.exe
1924	omsecor.exe
1236	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1696	bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe
1696	bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe
2488	omsecor.exe
2488	omsecor.exe
1924	omsecor.exe
1924	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2488	1696	bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe	30
PID 1696 wrote to memory of 2488	1696	bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe	30
PID 1696 wrote to memory of 2488	1696	bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe	30
PID 1696 wrote to memory of 2488	1696	bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe	30
PID 2488 wrote to memory of 1924	2488	omsecor.exe	33
PID 2488 wrote to memory of 1924	2488	omsecor.exe	33
PID 2488 wrote to memory of 1924	2488	omsecor.exe	33
PID 2488 wrote to memory of 1924	2488	omsecor.exe	33
PID 1924 wrote to memory of 1236	1924	omsecor.exe	34
PID 1924 wrote to memory of 1236	1924	omsecor.exe	34
PID 1924 wrote to memory of 1236	1924	omsecor.exe	34
PID 1924 wrote to memory of 1236	1924	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe
"C:\Users\Admin\AppData\Local\Temp\bcfe46db3d0db34dad4bf619018b069893491567152b4fa3b6541f9f05c9c3dcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
986c28d0defb103728299e3c3f6c3530

SHA1
23b5beb65d791396884b05b69bb4a139797c90c6

SHA256
2b53308b39cb0ee05175b247f56850157289a5ac7c5e69c0639b8055a63ac3b9

SHA512
90d5d672400cd632fc22890f339f4cd50ed66edc8a78df2e016c02a1639e3461a6a043687c0e1686820bee2986ab731aa1f1a19a7fb90814af3b4b4cec493f45

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
95a7149c0f3e10ea0a2be3f3ff0faeff

SHA1
69e06d90987d62866e33c10fb09cf0f9850271d5

SHA256
c63b538af7d4e72f18b942ec2108108d2c3c4c878042673ac0a9d0aef082a0c2

SHA512
669a30b38c7291f915a607f8051f6b1a3c1d76301b243b7516998bc11444fc49d6cb82b7428c121053dd00dabeb2c5d556e26b3f82fd6d18863e6c306a6e2bff

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
06aa4d238cfca2ce4103efd052992187

SHA1
0be22e622ec0fcd4fb8ab406f1ce147ad6691b72

SHA256
3f003b0ee4de58e07a6354fd1f1d4fdbe82eb85d0162289a036ed772a9a94fc3

SHA512
8b7903b8bdb1ac7d68f5477d035aa880deefc37696eba984cbf71ca8209b8f3e6d3ea2121772cccfb8b6b46472a490e5a809e3675a21c9f5b6a8ea423c22561b

Download Submit

Analysis

Sharing