neconyd | 749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567

General

Target

749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe
Size

80KB
MD5

d3ea83a75ea33c10f3bfd90dedb90b70
SHA1

50ab030a33d76aafda568625b00026bf799b0aa9
SHA256

749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567
SHA512

2269df109684dba78aea4f0b1d9ea895cae5bc60f8dd2982b41baff0ad65ac6df921366ff766bad2e093794e36aa3b148c12bd6ba2eaa946e1fb22edd9556ee4
SSDEEP

768:FfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:FfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2588	omsecor.exe
2936	omsecor.exe
1248	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2696	749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe
2696	749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe
2588	omsecor.exe
2588	omsecor.exe
2936	omsecor.exe
2936	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2588	2696	749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe	30
PID 2696 wrote to memory of 2588	2696	749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe	30
PID 2696 wrote to memory of 2588	2696	749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe	30
PID 2696 wrote to memory of 2588	2696	749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe	30
PID 2588 wrote to memory of 2936	2588	omsecor.exe	33
PID 2588 wrote to memory of 2936	2588	omsecor.exe	33
PID 2588 wrote to memory of 2936	2588	omsecor.exe	33
PID 2588 wrote to memory of 2936	2588	omsecor.exe	33
PID 2936 wrote to memory of 1248	2936	omsecor.exe	34
PID 2936 wrote to memory of 1248	2936	omsecor.exe	34
PID 2936 wrote to memory of 1248	2936	omsecor.exe	34
PID 2936 wrote to memory of 1248	2936	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe
"C:\Users\Admin\AppData\Local\Temp\749833823d82bcd15e2f2135b962bf8e1a620fb781593e3df72bdd33c4688567N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
aac53c4c94db3619e352df375b79aabe

SHA1
efb777e41b912e9cb2b90cd12db309d21ea0c13e

SHA256
b5148440e7e77c672e69536d0807950a150604b8fa37846e022152039afb0838

SHA512
8547bf2146659330727c1ede788b88cb5b6d7a4dfe7b7bb379e1d493546973517f032013f77f2e119cc236fbb8b25fed091dc3e71f43bd66ab7147e86bb8f64e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
901651c7dcd0b99483ea5cd8d895bfc5

SHA1
9a6d95622f196346430298968120a5c344a0c434

SHA256
113d6437d45108fcb41836efe7337a102817cafbc38becfbb7cb84915a9df96e

SHA512
04f85bc87b16921bd0fd0aaa491aa40224d630adbc5eaccbc697ebe2834a075a1d71582af2a08fd5b6ecadbfa49de818938de542ec817437cdd8f3b8fc01dc0a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
933bdf971d111775bd28183e51d4de63

SHA1
4002b1e317b0f5bc08f4558efe50c8ae9c9c1716

SHA256
316bd9cfd0540692455be642484b9028911de510813057b0c8834f1e75a4c118

SHA512
4082d535e8da82a0ba79d9d3065399b4d986b6614883e3dfb7249beaebde121186d614f8fcaaf3bea709e49f9270ff7edb89771605c97565ac53677055681192

Download Submit

Analysis

Sharing