neconyd | caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50

General

Target

caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe
Size

61KB
MD5

5ea51eae9c69eaa9eaaa4952fb817270
SHA1

ce2ed574329b618ad30574db94aa5bfd919c8693
SHA256

caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50
SHA512

5e651860e084490ffe4e585867c14f7f953424a8a465d7ed42d2d445dcfcebc45fb5714a2405cc8d49f2ee67b76abac9725f51021ad8e5c73231a8190ad279e1
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5:4dseIOMEZEyFjEOFqTiQmil/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2384	omsecor.exe
1948	omsecor.exe
2008	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2628	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe
2628	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe
2384	omsecor.exe
2384	omsecor.exe
1948	omsecor.exe
1948	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2384	2628	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe	30
PID 2628 wrote to memory of 2384	2628	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe	30
PID 2628 wrote to memory of 2384	2628	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe	30
PID 2628 wrote to memory of 2384	2628	caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe	30
PID 2384 wrote to memory of 1948	2384	omsecor.exe	33
PID 2384 wrote to memory of 1948	2384	omsecor.exe	33
PID 2384 wrote to memory of 1948	2384	omsecor.exe	33
PID 2384 wrote to memory of 1948	2384	omsecor.exe	33
PID 1948 wrote to memory of 2008	1948	omsecor.exe	34
PID 1948 wrote to memory of 2008	1948	omsecor.exe	34
PID 1948 wrote to memory of 2008	1948	omsecor.exe	34
PID 1948 wrote to memory of 2008	1948	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe
"C:\Users\Admin\AppData\Local\Temp\caf3e3d21f09aa927f0dfd376d3afb114e1561b5522d9429504a9684e97e0b50N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
25d5d6bd4e9a8316aa24ee45f425a2e3

SHA1
d278e4caac0651814988adcf3a0db3e45b6b12d4

SHA256
486b8426e99c5ee83e4b923119f74961160fadbe5340a1a44ccc233b351028bb

SHA512
11e847cc975ec720ab959d982876a2ca679772b648e72c7340047a97f50fabce4e28bf52a415846047671247366496f6116cca270347889d17709862638c554b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
a4f01b414c6fc1a92856d2406ece6e2b

SHA1
a725a92e9c9cf9f68d2d6224f82dfb627c3bbbea

SHA256
80c4dfec71024ff4799bfa48fc8bd1336781d23ded7144de5bb3c4786e601ca2

SHA512
98c6fb4eb7525d6ed2ab96d3b489dc9edf58bed528f380c1d6acda01a89a046d01e8699d621be802dd1a4519cb37ab6ca4e9312cfa1be19b009e45e2d8af1469

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
d9c3ce6b2d75fe3df10eb41abc41e9f8

SHA1
4a1110d95a4e3693912559c54782d978b62b583c

SHA256
5c076ba62e9305afd5d43b1f2fd12d5dc336ca791c472a974e9da8665d9355a0

SHA512
5b237a698fdd31a99536c3c9b2d7f8797db939470d4c9ad17afa1d93c3bd9920028d40380379ef1320d62f133a7e685cfc8f8e457b69cd515793d16b879f459d

Download Submit

Analysis

Sharing