neconyd | 291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28

General

Target

291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe
Size

76KB
MD5

6828d009f206a96c7bb7227850d8b380
SHA1

1f180115a642cf68492d05183dbfe0a210555b7d
SHA256

291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28
SHA512

6110aa557d970ed5a5f6263eec40c0d44f04b69f82cd89b8d07eeab25dc7f9720fb446e7bb6591b48d75656f4fa34cc48431cc181fcd44caf3b2452931b5fcbf
SSDEEP

768:KMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:KbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2592	omsecor.exe
1108	omsecor.exe
1580	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2604	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe
2604	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe
2592	omsecor.exe
2592	omsecor.exe
1108	omsecor.exe
1108	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2592	2604	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe	30
PID 2604 wrote to memory of 2592	2604	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe	30
PID 2604 wrote to memory of 2592	2604	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe	30
PID 2604 wrote to memory of 2592	2604	291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe	30
PID 2592 wrote to memory of 1108	2592	omsecor.exe	33
PID 2592 wrote to memory of 1108	2592	omsecor.exe	33
PID 2592 wrote to memory of 1108	2592	omsecor.exe	33
PID 2592 wrote to memory of 1108	2592	omsecor.exe	33
PID 1108 wrote to memory of 1580	1108	omsecor.exe	34
PID 1108 wrote to memory of 1580	1108	omsecor.exe	34
PID 1108 wrote to memory of 1580	1108	omsecor.exe	34
PID 1108 wrote to memory of 1580	1108	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe
"C:\Users\Admin\AppData\Local\Temp\291f3c0cf8f5cab4dcf2a9d4d9bcaf1bf1fb12aed3efb52adda441dbf7a3ef28N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
9f3aa080f624d0671d2ae3e27292600a

SHA1
7c745f68ea6d58ed65854ac51a2865fd7e53eb0d

SHA256
c314c98d82168b2ac956c4d5b92b669dd65e4db536c129224e5ff8a9bee68a15

SHA512
6ba872630df440a88533e73e0e84bf40b8e50cdd0568e4b9ae11386039aa8fa40939a4aef3ab69a2bfb0de4fc3d39dcaf0c2c4f4a09a3f87545e6568ba7f6db3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
7f7fbd01fa10c9aca4995fdb2c5ec277

SHA1
abbdd5cd35376e83c61159e600e09641bab55325

SHA256
00d5874ca9b7a7894f5a41da0186e39efb85373e43b73f585c4b4d72c88b2bd7

SHA512
09bf6e768e294d288f88f979c3de45bc87592787b9881c350ec947fbf28bf902807071f23bb821cc15cb6eb67acb6812059b040a322e5e708d39aa8a8fdce929

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
4fbfe1cab66b98931a37fe47884dabd5

SHA1
e8a92c5e0b1785e6f864be4eba5a6837f93556d5

SHA256
1d2e3aa46ca76699b30d5e50ad01e952316b3ed78fe850ac63d62e1063be8e83

SHA512
b7a48fa9930cbaedba8aed0c2229d80c3f7e6198f5cfb04221b2a55fe23b5b9111eddbd75a1a0b4113ff820c027bcb6b67892614fa52065f4175d2f8e23db40f

Download Submit

Analysis

Sharing