neconyd | 308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7

General

Target

308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe
Size

80KB
MD5

ce306668b086c19e164f906003b26283
SHA1

7df364972f9f650b360135e39fedcc11db439d56
SHA256

308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7
SHA512

8bd137a6a9c46dbe7134fd29af80ba20f32393de2dfae077f01411cb702470004380738bf3d5aafb78f19b301ee8739458b8f4010798d54067064bad155b3fb4
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:XdseIOMEZEyFjEOFqTiQmOl/5xPvwX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2508	omsecor.exe
1632	omsecor.exe
2392	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2272	308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe
2272	308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe
2508	omsecor.exe
2508	omsecor.exe
1632	omsecor.exe
1632	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2508	2272	308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe	30
PID 2272 wrote to memory of 2508	2272	308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe	30
PID 2272 wrote to memory of 2508	2272	308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe	30
PID 2272 wrote to memory of 2508	2272	308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe	30
PID 2508 wrote to memory of 1632	2508	omsecor.exe	33
PID 2508 wrote to memory of 1632	2508	omsecor.exe	33
PID 2508 wrote to memory of 1632	2508	omsecor.exe	33
PID 2508 wrote to memory of 1632	2508	omsecor.exe	33
PID 1632 wrote to memory of 2392	1632	omsecor.exe	34
PID 1632 wrote to memory of 2392	1632	omsecor.exe	34
PID 1632 wrote to memory of 2392	1632	omsecor.exe	34
PID 1632 wrote to memory of 2392	1632	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe
"C:\Users\Admin\AppData\Local\Temp\308c56dead16e4a6150d64084db9a4173d6f82676ced5773d4ca9f918a1b15e7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ab0876f72023970f37aa13ba01191a5d

SHA1
ddba8c3c0f610658bed87d075654c38169a5a3f6

SHA256
0675768048178d802e464b91bd2aa740648e750abe4c6ae066501783a0f06c22

SHA512
d0ab00c2897f11a156b637898782a9c2316b80e3d69d10f78b3d1a80a41a99f0902b0ff5603502693dd040c1932ec5cf1b572e571a21ae11573dcc70d0dd655c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
325685a40d855e6e7156885aa5c7d35b

SHA1
3c8a92a57b5463e957109160c210f624d0a3be90

SHA256
69231a33b599e247b3a3faa764e00f8b02f571840647bb7644f36d6aada5a0c0

SHA512
05a0ba27e02cc73178594456b697a7d65a125f4d3e3b51955d088fd37279261e8b97085c599870b395f1dbe17140e503858757013183effb467acd0a769d653d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
59a3be1b7c7788e995fd60c016ed039a

SHA1
8fae9bc9af3dcb6249ea27fa7d1e3fdc84552bd4

SHA256
e4a6e0eb7b90e669c1a5307b17ba1e1b323c4e482b2e952d8dbdcbbe6122c8ea

SHA512
83ebb25defa2b8ec235ada38545363959c090205b0cb741057de3698b1347647369bf5be9b7334d5820f139fa46bb6ab769802b7bb91b8ddc3bf9b3cb959a8ca

Download Submit

Analysis

Sharing