neconyd | dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420b

General

Target

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe
Size

80KB
MD5

36de0871e14d5a62e52be1d5b10e7ae0
SHA1

613a84912a10e246a7cfdfc55f1b27886d6a90fb
SHA256

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420b
SHA512

8dcdd5dfd4986a93e227f187a83da22cf6bd5fa27cf60c711d32132da923071f77eb9f3935863b16845232386b0075030521fc101156a5b31201c3d37370027d
SSDEEP

768:4fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:4fbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid	Process
1832	omsecor.exe
2884	omsecor.exe
2796	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exeomsecor.exeomsecor.exe

pid	Process
2324	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe
2324	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe
1832	omsecor.exe
1832	omsecor.exe
2884	omsecor.exe
2884	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exeomsecor.exeomsecor.exeomsecor.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exeomsecor.exeomsecor.exe

description	pid	Process	procid_target
PID 2324 wrote to memory of 1832	2324	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe	31
PID 2324 wrote to memory of 1832	2324	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe	31
PID 2324 wrote to memory of 1832	2324	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe	31
PID 2324 wrote to memory of 1832	2324	dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe	31
PID 1832 wrote to memory of 2884	1832	omsecor.exe	34
PID 1832 wrote to memory of 2884	1832	omsecor.exe	34
PID 1832 wrote to memory of 2884	1832	omsecor.exe	34
PID 1832 wrote to memory of 2884	1832	omsecor.exe	34
PID 2884 wrote to memory of 2796	2884	omsecor.exe	35
PID 2884 wrote to memory of 2796	2884	omsecor.exe	35
PID 2884 wrote to memory of 2796	2884	omsecor.exe	35
PID 2884 wrote to memory of 2796	2884	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe
"C:\Users\Admin\AppData\Local\Temp\dbf49243889c886d1234a2dc0f019f507030728d76816be93a581f63e641420bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
002c7bb2928a008cb8fd9a49b68bf425

SHA1
0adc2461db9d1c3a7ccaa5bae589b19aead5d554

SHA256
18019733b4d99aadd7abc879b4cea11f9cdc9eb68f453ed91cde8e71fa4a4cb9

SHA512
659e5c09f1f308c765004c0ffd0af62897ed12a0669252820ff99d4286cc63a852222bb9cdc905be4d7c939dea190c7d4ad6dade8d195816bc5fd8920cb7b514

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
d1f7ca3554d381843474fdc98815ec04

SHA1
ffe6596bd178e3b1c31c5eaf267bd9fd3e376b00

SHA256
e6fbea4c81a54f831854cc5d39a9c0b184232400f86641b1e8d22681cc5ded2c

SHA512
50094f79008d59d400f279e988c1dc0b67dc4b5f09c9ecbce47870fb7e3ace0e09f0fba664047d07a5dbb42034e16f227b01765d5b4ad9af5066fa09ab25aa66

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
44204a053dc99e666c040646616ee203

SHA1
5f2be0932233df6d5b543ad2aa15b96fd36127fa

SHA256
1f5d517979330bd26e13f0a80217f338520279fd72b37667d33d753f730f65c7

SHA512
de3363d674aa5804a3303eec425bebc8c8b81068f6577201583b1f69aaf642148b708a4595c83752c8ec4eb51335ee315c8dc27b8dfadbe9c5ced5a9c0a82173

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads