neconyd | bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602

General

Target

bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe
Size

61KB
MD5

546baa01ff728e9da82b4e92ef66ed80
SHA1

76d58e0ef3fc4404558212cc38b3fe4814f03efe
SHA256

bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602
SHA512

619a73362e672516a85af9802752622e7a25b55009772caf0f2373ebfefdf0c190df6524f53fe5b8fd9bd99d0d6b46eb2266a0df0bed60a8e950e607f45120d2
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZVl/5:XdseIOMEZEyFjEOFqTiQmzl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2244	omsecor.exe
288	omsecor.exe
1040	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2424	bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe
2424	bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe
2244	omsecor.exe
2244	omsecor.exe
288	omsecor.exe
288	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2244	2424	bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe	30
PID 2424 wrote to memory of 2244	2424	bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe	30
PID 2424 wrote to memory of 2244	2424	bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe	30
PID 2424 wrote to memory of 2244	2424	bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe	30
PID 2244 wrote to memory of 288	2244	omsecor.exe	33
PID 2244 wrote to memory of 288	2244	omsecor.exe	33
PID 2244 wrote to memory of 288	2244	omsecor.exe	33
PID 2244 wrote to memory of 288	2244	omsecor.exe	33
PID 288 wrote to memory of 1040	288	omsecor.exe	34
PID 288 wrote to memory of 1040	288	omsecor.exe	34
PID 288 wrote to memory of 1040	288	omsecor.exe	34
PID 288 wrote to memory of 1040	288	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe
"C:\Users\Admin\AppData\Local\Temp\bc81a8367c9c5970fdfd8b653319d5c86b787f7cf46db0040acfdb3a4e9af602N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:288
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
16f7e197bb3a2c0f1b742d8b031353e6

SHA1
2ec60c2ea7b0daf65bdd0979e03aa0bc35b2219f

SHA256
1a0c13fbd3d90c2225a4357dbd4881da8fbae0b5b7cc0dda35a744d676100099

SHA512
887b702b78262b30bcbd810bab75e5b548e3b4d450d20be4fb10a2f634937094aaafed4116eab75d549b4dc5e0a127fc582e890b3b79dea1c856808c00df6707

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
972c2168e906b348497a492421618876

SHA1
61982e38caeabf4f567b894e245a6377b5761619

SHA256
eb9a5ddf14a4adb1b7eb0095aac3e6bba473bd97679385e355329632adc22773

SHA512
7ff358104597cf1615758702228ae21cf4008567e4fd01e8770cf830d0d355a5dad54b3063c6e896318f837ed7c053afa86c456971e2a41931dd48e8912a1f80

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
c2e8340c9e39750cf5f2b07ef60ca966

SHA1
261ace98adfb5baac9962e57c113ba38ab3bc676

SHA256
db12088293c86af8ba9bb3e9095d4e8cadfa3a319e28b4087c0e61cad13003aa

SHA512
c843de35e1b5563d5ea985dee949ca51ee09ca96552a92daafe3b03c601cb3c06dfacb23ce5e043e8478b875b2bcd2c9a251f2f3741ddcb79d989ef73588a975

Download Submit

Analysis

Sharing