neconyd | 74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33

General

Target

74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe
Size

84KB
MD5

aa6d3f6a6bb159ee1d35d4859e664190
SHA1

8b9b60d42a5f42435bfa03cc7448c1b9b90fc3b3
SHA256

74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33
SHA512

186c7be6f9312317fca1dc9cd2926d12326b13adf9828e5e90f95e0ffe8bbb0ae529a5e2b1409ebe0aabf1ae8f5fda7ee565c6baba814016fc052a074ce3b4ae
SSDEEP

768:/MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:/bIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2380	omsecor.exe
852	omsecor.exe
2128	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2240	74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe
2240	74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe
2380	omsecor.exe
2380	omsecor.exe
852	omsecor.exe
852	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2380	2240	74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe	30
PID 2240 wrote to memory of 2380	2240	74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe	30
PID 2240 wrote to memory of 2380	2240	74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe	30
PID 2240 wrote to memory of 2380	2240	74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe	30
PID 2380 wrote to memory of 852	2380	omsecor.exe	33
PID 2380 wrote to memory of 852	2380	omsecor.exe	33
PID 2380 wrote to memory of 852	2380	omsecor.exe	33
PID 2380 wrote to memory of 852	2380	omsecor.exe	33
PID 852 wrote to memory of 2128	852	omsecor.exe	34
PID 852 wrote to memory of 2128	852	omsecor.exe	34
PID 852 wrote to memory of 2128	852	omsecor.exe	34
PID 852 wrote to memory of 2128	852	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe
"C:\Users\Admin\AppData\Local\Temp\74c5241eb0d52d4b3c368b114ec82ea1c605bbd1840a6437ce7582ae303b7f33N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
c9cf5d4c4e3f9497181cdcda1f201aa7

SHA1
aa5d3ac82556d9aa743d87f79f631ce9a5ccbc19

SHA256
4b4e9e66ac06e8bb57b5a3c4ffd58faaedfefe9f7e55de4759d598abaceb582a

SHA512
7325ccc4fed82a4abd739759a798eccfaf5a19dc6888c52f657e0b53d33961e8292123a3923162c97951081b49afc39f8fd538ea73b88c5c30d98244e45ff536

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
a5390c9c7fbe3f30e1bb05739645cc35

SHA1
32e55990cb78581ec125545e5af21223c3a1e2ca

SHA256
1b90b42c0d71211522c8b4a19a4c6cdc587d1d01625e6b79a66d40da7e19ae7f

SHA512
9fb4f2059d2458ff4a2476d27788375199442177dcbfbf8ddebc2cdadbba4189a9d4fc2ef2eab1fc42e20bcb97a35fbb3301bc92a4eab0f63a548c2b720a51f6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
d3dbbc94dca0e42e385f7a4dffe126aa

SHA1
ebf394b4666b09bfd7efb3b95029b78963ad4096

SHA256
faae2d9c9db571bfa7006d20da85552ffcb5cf2f4283f77e41c54b5f4884ec33

SHA512
1d84cb439cb44f45ebeb913acd24391faf1437b5a18324bdb215cfc9335b677c44461d3a96ec067e52c8e323bb2ee4b1f55666d035bd25e7e8e11a79da2b3472

Download Submit

Analysis

Sharing