neconyd | 24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8

General

Target

24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe
Size

64KB
MD5

1f04667374508060ce6a19e53e73e716
SHA1

0e50a1d92c5b792c6b4de050d8155dab87dffebb
SHA256

24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8
SHA512

3bc7374198cd1b922e070a74f5212f1f0a0ad9fa9db4ad8fa814138b61aaaa327da42a622293f4699510817a1e22644c77495f1e6ec7af9570cd7b7993ece2b5
SSDEEP

768:3MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:3bIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2504	omsecor.exe
1056	omsecor.exe
2928	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2120	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe
2120	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe
2504	omsecor.exe
2504	omsecor.exe
1056	omsecor.exe
1056	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2504	2120	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe	30
PID 2120 wrote to memory of 2504	2120	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe	30
PID 2120 wrote to memory of 2504	2120	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe	30
PID 2120 wrote to memory of 2504	2120	24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe	30
PID 2504 wrote to memory of 1056	2504	omsecor.exe	33
PID 2504 wrote to memory of 1056	2504	omsecor.exe	33
PID 2504 wrote to memory of 1056	2504	omsecor.exe	33
PID 2504 wrote to memory of 1056	2504	omsecor.exe	33
PID 1056 wrote to memory of 2928	1056	omsecor.exe	34
PID 1056 wrote to memory of 2928	1056	omsecor.exe	34
PID 1056 wrote to memory of 2928	1056	omsecor.exe	34
PID 1056 wrote to memory of 2928	1056	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe
"C:\Users\Admin\AppData\Local\Temp\24090c7f7c1ded71b21be54a91fe0c73054a541608aefba1f5adca42daf35dc8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
cd69f485baf57ae1d54ba57252916f64

SHA1
599350c79a8563687f935da0acabdd3025ed0482

SHA256
d5d49d584a0ce510debcfb11fc5c086ae727c3acaa5c8a66b1258381a1cc0da6

SHA512
5f2e5d6f7cca59ac2e619e2cae5a778af0dcf0eba720a94ce3287848c7c6bc02fbfeeb1dcc273d0231e01c1d76adecef5b747722a4225293b7d2020a7bcd8b2c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
766c0a2f066bd894f6d71dd28b63ceea

SHA1
11b704fb429763a6cce05bdf440812d5ac5ee037

SHA256
208a4401e8d2c9bcd2072195974b164d746348f5de4309cc1c067439c6232507

SHA512
980a0114a8a56d5f4b4df1ffc22dfb7b525bbf88b096f83e62e08a3473b17596a3123521688c7584aaec66a63adc5dcd11600b0212965eee22d60af95c8a09fe

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
653ee2c3c0037598c6dc24032b193515

SHA1
76800ec144de4faafd35b1f2f0dc890d1a74d034

SHA256
dfa743ece8722db57c543f57e29fdc436eafa3ea15e06e32043f23fe8d41d61e

SHA512
fc77baaf6eff31a86b8c30fa3af15ac4bb92fe10d1483816df717f1c472bd75913e8f192d8d63ed7290aca8e558c6ff20d6ee938f37692c1ba29f1b988e81461

Download Submit

Analysis

Sharing