neconyd | 1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9

General

Target

1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe
Size

62KB
MD5

3dcdb2d1d4ba8dfb3a9d6fe0b1b20e75
SHA1

bd322d374d7ec59ce7994fefb808ab42e51ea521
SHA256

1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9
SHA512

5130d0939b8336d13173c97dd6720cc61d27d24ec5afc73fcb274c180843534052e09d30e4672753f8a8687fbde935ced8f6a961103bc4b6dd32c357aa673f93
SSDEEP

768:sMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA9:sbIvYvZEyFKF6N4yS+AQmZtl/5l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1784	omsecor.exe
2972	omsecor.exe
1408	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1904	1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe
1904	1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe
1784	omsecor.exe
1784	omsecor.exe
2972	omsecor.exe
2972	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1784	1904	1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe	30
PID 1904 wrote to memory of 1784	1904	1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe	30
PID 1904 wrote to memory of 1784	1904	1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe	30
PID 1904 wrote to memory of 1784	1904	1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe	30
PID 1784 wrote to memory of 2972	1784	omsecor.exe	33
PID 1784 wrote to memory of 2972	1784	omsecor.exe	33
PID 1784 wrote to memory of 2972	1784	omsecor.exe	33
PID 1784 wrote to memory of 2972	1784	omsecor.exe	33
PID 2972 wrote to memory of 1408	2972	omsecor.exe	34
PID 2972 wrote to memory of 1408	2972	omsecor.exe	34
PID 2972 wrote to memory of 1408	2972	omsecor.exe	34
PID 2972 wrote to memory of 1408	2972	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe
"C:\Users\Admin\AppData\Local\Temp\1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
df2e761dfcc12b0f5dc6c04dae060a0c

SHA1
9a19fb937942a63bea7e626e1dd111001ed27adf

SHA256
3e88b1bc041644fc0cb107c88e5eb997e4cf59f621fe706b19942f7fc225cb85

SHA512
079d50d1df83165a1d9b6d0fbb8efc5f7d3e33e1c33ce5cb32c5fb0dbb7e558b28af766c12350395f88dfac6b8d008890dc61a804b4d0c180abfa2009630787a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
4b9c29f26ead3b6be3c2066dc511476d

SHA1
a1cee8ddfaeeb934bc2c2ce6c2a268ca5254955b

SHA256
02716db5021493b91fc436ae05ec3cbbba7586b646bcb6fc1b653b39efcaa7f8

SHA512
0d2aa4950d09450ffaff88edbba451e41dd177205ffdca787bd5197fa47db2cd5706dc2901526642bd3cdc9ac99d5c60abf6bea0e5a583da91bbbdf88513002c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
b14cfbdd41308488aade9476d26ba81c

SHA1
6c155364ca912616847db7a3ebd0d196c8e1e2a8

SHA256
2b62161dc3b901a0d065202f629c7c2c1ff11fbf905b4ad70926b5194dfc43ca

SHA512
fa41762dacdf44703c68974b94fdfe093704106dcd4a3919ff8abce3f18f6479c2a970ee0101ca22270bb50534824a9dea590c96b13c55005d36875bab333eb4

Download Submit

Analysis

Sharing