neconyd | bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022

General

Target

bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe
Size

62KB
MD5

b8d81c6c19f8790104089e0387dcf070
SHA1

baacf52d869f94b73e2d10b75f1650b458207b8a
SHA256

bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022
SHA512

08b11bb8ec067b01751c3e294423b152758b82f8b8c8bfa7190492c91e775532c98cea369d351138a1cc9b8cd808a2bcf3651df5c6d724ecf322be47ceffe67a
SSDEEP

768:NMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:NbIvYvZEyFKF6N4yS+AQmZtl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1804	omsecor.exe
1664	omsecor.exe
2808	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2084	bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe
2084	bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe
1804	omsecor.exe
1804	omsecor.exe
1664	omsecor.exe
1664	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1804	2084	bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe	30
PID 2084 wrote to memory of 1804	2084	bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe	30
PID 2084 wrote to memory of 1804	2084	bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe	30
PID 2084 wrote to memory of 1804	2084	bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe	30
PID 1804 wrote to memory of 1664	1804	omsecor.exe	33
PID 1804 wrote to memory of 1664	1804	omsecor.exe	33
PID 1804 wrote to memory of 1664	1804	omsecor.exe	33
PID 1804 wrote to memory of 1664	1804	omsecor.exe	33
PID 1664 wrote to memory of 2808	1664	omsecor.exe	34
PID 1664 wrote to memory of 2808	1664	omsecor.exe	34
PID 1664 wrote to memory of 2808	1664	omsecor.exe	34
PID 1664 wrote to memory of 2808	1664	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe
"C:\Users\Admin\AppData\Local\Temp\bc70b38d36135c7bff0caf0e97530ee0cc456c519fbfd7ec5d50f65004c56022N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
21b5d3e59bacda15663ecafe0d357b3a

SHA1
3da1899ecf217834ed30507928199e2b3694f077

SHA256
8aa9927883223e28d9e4cbbfb6d1ebf9b5b47a50bbcefc7cb901b89c117b08ca

SHA512
b42292fdec291166456af8940163a327efc6bc403565ace13a88e172ba2b8eaa7639c819eb9526b6238669c273c4e55277fa92c580ef118ea5ab383b94d98d7e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
bcca2f865ba3da0126eed3d3bd38ceae

SHA1
076f9a22a6c0967b7f8c09fd4ddd2a6dac90370b

SHA256
d270949898f36c8dcdd60903891de8f78b6d9922ced0db335a421cf85a004bd0

SHA512
d820fc2565563978b8c691676bcde2f3ca25acfbd592ee948f89973d47e05c2bf5a65c2c52a7ae7f09e50b38a2b62d93e2e5e79629c346bf9a1540d0befd4301

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
8bdf5c985db8f73094c9c762bd4b4246

SHA1
38bcbe8f077fb41b58a66cd9d4371c76419da97a

SHA256
05b35abd2e1542aa15de27dacddc6e81db1a17436d18b913c0b93412fcc58dd8

SHA512
c861fdeb9ec79d8f596d836684f4b3474cbf8c5c6b0c1c83a0a10c84bc48b2d8afda44f87bfb582b8cb89a27b90f958fa1371451da18b53d40d05d72b54df796

Download Submit

Analysis

Sharing