neconyd | 23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3

General

Target

23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe
Size

80KB
MD5

ddd89d6efef5086643807602e3759680
SHA1

d443699e56adf2b3d34a8aabd7caddc31f639004
SHA256

23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3
SHA512

dd7203a90aa27942f9b4e43363d154d634519f586ce276c1b2cc7a29cbd0ecf9e6972703a8396497a517363e63514e54b9067966f56074f046ce5cba921c51bd
SSDEEP

768:GfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA6:GfbIvYvZEyFKF6N4yS+AQmZTl/5i

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2468	omsecor.exe
2616	omsecor.exe
2548	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1820	23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe
1820	23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe
2468	omsecor.exe
2468	omsecor.exe
2616	omsecor.exe
2616	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2468	1820	23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe	28
PID 1820 wrote to memory of 2468	1820	23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe	28
PID 1820 wrote to memory of 2468	1820	23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe	28
PID 1820 wrote to memory of 2468	1820	23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe	28
PID 2468 wrote to memory of 2616	2468	omsecor.exe	30
PID 2468 wrote to memory of 2616	2468	omsecor.exe	30
PID 2468 wrote to memory of 2616	2468	omsecor.exe	30
PID 2468 wrote to memory of 2616	2468	omsecor.exe	30
PID 2616 wrote to memory of 2548	2616	omsecor.exe	31
PID 2616 wrote to memory of 2548	2616	omsecor.exe	31
PID 2616 wrote to memory of 2548	2616	omsecor.exe	31
PID 2616 wrote to memory of 2548	2616	omsecor.exe	31

C:\Users\Admin\AppData\Local\Temp\23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe
"C:\Users\Admin\AppData\Local\Temp\23fb8519c5a239eb0868dfaba0df8939df777e81e44dc73d00852401a0c5e7d3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
b009c7b972cafdaf4a80932f8d48d61e

SHA1
355ae7be58eb4724b12a0d5dd7fb05a8d4925c16

SHA256
aa3b3aa27d832c051f7945c01371c7424a8f24ddd0a76ab4399b029ef5565902

SHA512
011bb90d0d147726811631250303b8b7e166816f5db0f5573fa2ac53dd2a0f315f4a68098a6bf9c6d10b15637dd05c90e84d9b4cf163df6a1bafcb50c2093fbb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
40ea135b70429f90fa0a4ea79f3f6c84

SHA1
825f006a8f3482cd7f91639609ee8809696fcf20

SHA256
c77fb12cb0daf4bc65e7951be0776b86fa0508639b05c62b787838b2f16cd1fc

SHA512
a0436c4647d65137daa2f33fa3f660a74a2999da1fff18f3b7501bf130fc45e9ff08ab0a0a0a24c82dbe9b60501e008bab31b1a52c233a968f90db12f556cd4e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
a85e7a783e16c1de2e9127a88f082f50

SHA1
8e2315cb96be6c42883aec06a3e6234d9ff5f5fc

SHA256
ef562fba677c74de1bc267b08919ae2e806f6deb0c89431dc76cda622544bd5c

SHA512
03ccb86a5d026843e63a591608aadf4343db6b202f92e2fbeb1d8d413db1dcfcbf3d05df7df6765cbf0666a73804c430ef2ecd2be176ae6a53c457f3d0d72ef7

Download Submit

Analysis

Sharing