neconyd | 80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8

General

Target

80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe
Size

84KB
MD5

943ac921d81ca9c1a1ccc0a75b8796c0
SHA1

6df556ff60b34b8ab6a9a6b3656c6058aafaf2df
SHA256

80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8
SHA512

87d6ae8df933e97fddcf8fb4a0dd7c29117037cf5177cdfaaa19e11348e5600dae6e2e71b7a57402fdee94e45830c82ba52ea14ab1b0bbca6bf16747a6106b6c
SSDEEP

1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:KdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2064	omsecor.exe
2408	omsecor.exe
2664	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2384	80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe
2384	80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe
2064	omsecor.exe
2064	omsecor.exe
2408	omsecor.exe
2408	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2064	2384	80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe	30
PID 2384 wrote to memory of 2064	2384	80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe	30
PID 2384 wrote to memory of 2064	2384	80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe	30
PID 2384 wrote to memory of 2064	2384	80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe	30
PID 2064 wrote to memory of 2408	2064	omsecor.exe	33
PID 2064 wrote to memory of 2408	2064	omsecor.exe	33
PID 2064 wrote to memory of 2408	2064	omsecor.exe	33
PID 2064 wrote to memory of 2408	2064	omsecor.exe	33
PID 2408 wrote to memory of 2664	2408	omsecor.exe	34
PID 2408 wrote to memory of 2664	2408	omsecor.exe	34
PID 2408 wrote to memory of 2664	2408	omsecor.exe	34
PID 2408 wrote to memory of 2664	2408	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe
"C:\Users\Admin\AppData\Local\Temp\80005597d6f693567b7d051e2fcecb95d282f55b20a24d91426a25f10c559ef8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
62e6cd746c1d480bbab48ad534774173

SHA1
887ada2bb599f4e28c33040cf06727ce26b5157d

SHA256
7b81c4fec99127ded1343533358382d6bd2ebad7ae833adf54e62fe221e220cf

SHA512
ae5dd65189fe6b38ea2af174f6eb0ed287741d6649baac20d48bd56b1fc9b115dab406ee0d7aa6cf17086b04954ef6a85c4103adb8d5edf8941ad9cf0d7adff6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
929e1795a8a69a2bd85d8728a1d7116c

SHA1
5c905063ccecdcec1b7f3bfb24eb816145518b6a

SHA256
ccc9af52d25ad3f126eb0c9654dd98272e8ae92894b64a2ba5e1c246a005da78

SHA512
564ebfd0f9fc10fe57db528cd9aa24dff588c08c894ef5d3eeab582a3b307818a441c13cc5a051a5b4c1eb1ada9bd23238b7ceeb2bb857af816823e093fbf554

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
7b588b3513aabd476bcbb903058b5fa0

SHA1
a2b7adcf2ab285dd11e5bd84274df989d0223bd4

SHA256
b335d93ed067ccb108694e501350e263e932fc21f397e86054e71e1eb8b8e295

SHA512
9129b596aeecf0bb8a4b3a72b50a8f34407326f0c8cc903f0801f885698c7d3d6517ef43635eb6ec70c8f575f03fd63674c64acfff1c926afc84861b8892375a

Download Submit

Analysis

Sharing