neconyd | d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1

General

Target

d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe
Size

80KB
MD5

e69da5c3501445778de1cd41af270cd0
SHA1

a9178b211872ea64b90405bb72e383fc587ed2a5
SHA256

d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1
SHA512

f286bdbcf77142f5dd08b0a865c31c04b3aa5d288e00dadb43c527d572b1dadc9bbc6b0097f4c6491b18b681e9fa9cf9126b77bd6dcf461b9ec992259363e801
SSDEEP

768:mfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:mfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2832	omsecor.exe
2944	omsecor.exe
2924	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2788	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe
2788	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe
2832	omsecor.exe
2832	omsecor.exe
2944	omsecor.exe
2944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2832	2788	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe	31
PID 2788 wrote to memory of 2832	2788	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe	31
PID 2788 wrote to memory of 2832	2788	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe	31
PID 2788 wrote to memory of 2832	2788	d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe	31
PID 2832 wrote to memory of 2944	2832	omsecor.exe	34
PID 2832 wrote to memory of 2944	2832	omsecor.exe	34
PID 2832 wrote to memory of 2944	2832	omsecor.exe	34
PID 2832 wrote to memory of 2944	2832	omsecor.exe	34
PID 2944 wrote to memory of 2924	2944	omsecor.exe	35
PID 2944 wrote to memory of 2924	2944	omsecor.exe	35
PID 2944 wrote to memory of 2924	2944	omsecor.exe	35
PID 2944 wrote to memory of 2924	2944	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe
"C:\Users\Admin\AppData\Local\Temp\d60de207dab4e3f0486b5ebcaf979bd7c055ac9b8ba6fcef802f685affc40fb1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
366edc2c916d9ea71997aabe5f5f9312

SHA1
9c218926b9b134e9ef63e0478c34fab7de417f3f

SHA256
7d49e69f78a5c2659dda4ae7141045efaeaabd56fc8283c9849ad893e173aa43

SHA512
f724eb2792a6c8cb39d250b7e0ffd70780e01d8c892979155f86c957aeb5688fa66b9e7fa61b1a504aaea1192d2e0b19b6305eb64e44fb330108a54e13b01aec

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
a54928ff441d43a7ee56df6792841daf

SHA1
f0ea62f093701d42931e66d1a46b82a1a50a210e

SHA256
c09c88724c52bfdd37c85d329c991a864f3136174dba20ed6479b2cda6a4cdf6

SHA512
b2caa710e5cea464acc7ca8a4a09afd40ffd784b18ad010caefca54cc87a566000ff799e6029508c607ebe2ff839b67b5148b3fba5dbd8065a109991f55ff660

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
dcbb1f34f8db7337d5af06b5ee276fc9

SHA1
488e0e761c35cb925706435ce05243be290469ed

SHA256
c790fdbb2f5e49a20d9f1cb91e1699f073f37d2a767f3ca47a992660196283c0

SHA512
01e95fcc5e15585a72e0d0cdf32b592b5c9e040ff09547ee99ac8d0e8061e83aaaf331b8fb7b8d2060c9911f365b75a27922de06345186ca5336556a0c588d30

Download Submit

Analysis

Sharing