neconyd | 93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b

General

Target

93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe
Size

80KB
MD5

8bf04a74835812f292459e324ebc702a
SHA1

3177db2fd5634e3969240acfaaa52abcbdb5e3dc
SHA256

93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b
SHA512

c920a788bc4549e004f3f80a328208ee37ced69bb9f6e2817f5ec731a1a975c243316fa873c52ee248c3fcb2ab3318f7fe23c51398d884494dc234edf749134a
SSDEEP

1536:Pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzp:ndseIOMEZEyFjEOFqTiQmOl/5xPvw1

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2320	omsecor.exe
2328	omsecor.exe
1660	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2140	93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe
2140	93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe
2320	omsecor.exe
2320	omsecor.exe
2328	omsecor.exe
2328	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2320	2140	93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe	30
PID 2140 wrote to memory of 2320	2140	93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe	30
PID 2140 wrote to memory of 2320	2140	93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe	30
PID 2140 wrote to memory of 2320	2140	93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe	30
PID 2320 wrote to memory of 2328	2320	omsecor.exe	33
PID 2320 wrote to memory of 2328	2320	omsecor.exe	33
PID 2320 wrote to memory of 2328	2320	omsecor.exe	33
PID 2320 wrote to memory of 2328	2320	omsecor.exe	33
PID 2328 wrote to memory of 1660	2328	omsecor.exe	34
PID 2328 wrote to memory of 1660	2328	omsecor.exe	34
PID 2328 wrote to memory of 1660	2328	omsecor.exe	34
PID 2328 wrote to memory of 1660	2328	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe
"C:\Users\Admin\AppData\Local\Temp\93ffad7d8db9995b3a0024627766a6d54664acbd2bfb1e50ae2665f73384b65b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
349b0e554f2e5aa96159b75eada86dfb

SHA1
19207617a568a8da2b8e3f35dd6aacc2f47523c6

SHA256
9b5635fb84f67a34261e5d166244aebc109e7fa571fd68b94af6a85a0d6cc9c4

SHA512
c3be5d2d4fa73092fd2a5a504b274e89002b0cba0633669361efd9883abda97836d0b9dacbabf1381ffcdfb76bf9b4bb0e188c7b6b8fd225d914c1c3f8fad712

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
9601a56e7fe3dec809f94cc234fbac23

SHA1
dfea0c907624eb009541df03e33a48e7e8c1505a

SHA256
70f82ca13394a5a1474c16ed4747b087897b52b7c95a22f2db5b5ea3b2b148e8

SHA512
161a8fa6419cf33d80b6756694e60697cab4996d65879121322f309f2989fa27e2c5a34663640566f212050b9a885f12d5f60ff14a435a3623196767129de2b1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
1373534b8f507b319dee2c689f82816c

SHA1
df825d893d65dc41bdbdf1d5107985bb5feb740c

SHA256
3ddce5bd0004f2633de4b5cec66df93a589760b0d82cb20cb301b275e7135d84

SHA512
a72c9cc6a18bcdb78bcfe7d08b670fbfcc65ff178a9e082dbbc39eea30237c4f29120db5eb95bfe966a1c9f22f5d53fce14415d6b6134a99520541cf31772165

Download Submit

Analysis

Sharing