neconyd | fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542

General

Target

fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe
Size

80KB
MD5

e2c7d1e70ac2703bbbcdc3cf21fd40ad
SHA1

f0494b727fc6f5d4fcc58f8e8b90ecf38cbcc0a9
SHA256

fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542
SHA512

6ac5362cbfe9e8abb7f40b2a56223da7ab1808c5a0607e732954f98152c47f68df30cc887cfd52c6d87304110c42ed5a37c625023e4158ddd7f07e118502216f
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:XdseIOMEZEyFjEOFqTiQmOl/5xPvw3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2536	omsecor.exe
2992	omsecor.exe
1984	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2064	fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe
2064	fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe
2536	omsecor.exe
2536	omsecor.exe
2992	omsecor.exe
2992	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2536	2064	fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe	30
PID 2064 wrote to memory of 2536	2064	fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe	30
PID 2064 wrote to memory of 2536	2064	fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe	30
PID 2064 wrote to memory of 2536	2064	fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe	30
PID 2536 wrote to memory of 2992	2536	omsecor.exe	33
PID 2536 wrote to memory of 2992	2536	omsecor.exe	33
PID 2536 wrote to memory of 2992	2536	omsecor.exe	33
PID 2536 wrote to memory of 2992	2536	omsecor.exe	33
PID 2992 wrote to memory of 1984	2992	omsecor.exe	34
PID 2992 wrote to memory of 1984	2992	omsecor.exe	34
PID 2992 wrote to memory of 1984	2992	omsecor.exe	34
PID 2992 wrote to memory of 1984	2992	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe
"C:\Users\Admin\AppData\Local\Temp\fc493e4f11bbbe90d34edc5de4417457023a416c07751760c2a4e75d65588542.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
aab424bd57d7cfa5ce03ac446c469cba

SHA1
f25a54376f61cb321019d4eb371d115e9e7a67cd

SHA256
9554d057da9be867f714b185442836a34c7d21804360b7c0f45a6dfc8e5fc8d4

SHA512
cf16edee095060847646eb94520ec8053f747bd035e38e2a8c4b8d232c589ed3c797463da3ac7c3a0bc1adb42b776ba5916656c8bba44f125dd8b6a4adc1412d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
1ee724ba39b4db2b3c50f63ac6471ae0

SHA1
c5421e673e6e31db33334d3c097bf21ad183b6c7

SHA256
6bd097e0f086d8016542e437151865ba53769d7e293fef9ea31e33e004901872

SHA512
8cd0d4320c55006a24b053677e95901e40a83fd163e937bcfcc0c4f296824817ba3c4d116c9986f78d3922a5604079233c720cfda5f7bf9f644a68cc3fe686be

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
807b5bb005756dcee6e2b10fe5d05ded

SHA1
a711101a15144abf5fdef2efa640461379976d96

SHA256
9274b4ea00e2587c893f64573036f6fe14587c743ae35dca442debdedfab05bf

SHA512
e004de19bbab64f861c83a52dac2870565b4833b24ba50748e06d575c12e424b1063369abbb0c166764a248240f27921e2548d5b1644b23155e314adbeb596e1

Download Submit

Analysis

Sharing