neconyd | 38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818

General

Target

38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
Size

61KB
MD5

121e47853541cf15a1249c5580840cea
SHA1

28161b7d82dfd76176f68784228dcd0cb938cd5b
SHA256

38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818
SHA512

c1d8bc14cb413ddaeae5ecfa93ef2f7faacd089e609f56a1fbc5c87f83e6e6c7660508f1bb707d007d0e21856abf82857d39eb119effe63ea9b31c567f23b9c3
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5/:4dseIOMEZEyFjEOFqTiQmil/5/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2100	omsecor.exe
688	omsecor.exe
2872	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
2032	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
2100	omsecor.exe
2100	omsecor.exe
688	omsecor.exe
688	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2100	2032	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe	30
PID 2032 wrote to memory of 2100	2032	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe	30
PID 2032 wrote to memory of 2100	2032	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe	30
PID 2032 wrote to memory of 2100	2032	38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe	30
PID 2100 wrote to memory of 688	2100	omsecor.exe	33
PID 2100 wrote to memory of 688	2100	omsecor.exe	33
PID 2100 wrote to memory of 688	2100	omsecor.exe	33
PID 2100 wrote to memory of 688	2100	omsecor.exe	33
PID 688 wrote to memory of 2872	688	omsecor.exe	34
PID 688 wrote to memory of 2872	688	omsecor.exe	34
PID 688 wrote to memory of 2872	688	omsecor.exe	34
PID 688 wrote to memory of 2872	688	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
"C:\Users\Admin\AppData\Local\Temp\38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
58fa705597ac3904efd86c12f2814cd6

SHA1
b0c76772aa077c694076ff7cbe048dab2edfbf15

SHA256
f3ce495cdcf137ad9a9c1c4e98ced516d887994398f0b4846f26097ae5c7ce1b

SHA512
7f1f7eb3f4363d343779ff0d78d610a7cc8aff474770891b6f0131ce13b5d5468a8d7c45167b91b1dacf20bf5831411938800016a9f743e7f1591f373f608779

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
98ed742ba0356531fb0a83cdde90b155

SHA1
b8aa0011c53c862a00552ee48941565971711820

SHA256
7ed24dc5088dfa3bef027926ca64d95e5289469f23edf0d8cda8f6c67d937200

SHA512
459b0515d9af76715c25b76d0ee7aa64265a54770888c645271c7fad44831b1e9919883fdd930ca24f702b78e716c50a6a7eff0232b1f741dac22bf29d29b2c7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
1132c33af01cd1d43c4f0070731b2c62

SHA1
b3e21919b215bf520dc91acbcdc11f0b3a6935c6

SHA256
b489342f9cd89e127ab1c83353b7cf2ae684bc79a4b87bdc6a2444ca20b6df17

SHA512
72017b33320eb2bbb6558449db3b4c235312f5d068d608fab02ea44816b015c6f6819f7d9847d5810720c0eb1f717989737d603828d9a59408cc6a8f6dd41e44

Download Submit

Analysis

Sharing