neconyd | fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83c

General

Target

fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe
Size

89KB
MD5

39d29a04536e738ff9d9a15b87079060
SHA1

1e4f6694f61182f81d9ceefcb516ae25cffb4ecb
SHA256

fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83c
SHA512

7618528c6184d92a1d4c4ea824ce5c466bb183f448b347e9e7e743619f5f277707e33c94dbacd1f6399cb2e6ebb60a2c8607e96b9a301af4bdc9de6b50e270d5
SSDEEP

768:rMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:rbIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2444	omsecor.exe
848	omsecor.exe
1596	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
772	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe
772	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe
2444	omsecor.exe
2444	omsecor.exe
848	omsecor.exe
848	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 2444	772	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe	30
PID 772 wrote to memory of 2444	772	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe	30
PID 772 wrote to memory of 2444	772	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe	30
PID 772 wrote to memory of 2444	772	fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe	30
PID 2444 wrote to memory of 848	2444	omsecor.exe	33
PID 2444 wrote to memory of 848	2444	omsecor.exe	33
PID 2444 wrote to memory of 848	2444	omsecor.exe	33
PID 2444 wrote to memory of 848	2444	omsecor.exe	33
PID 848 wrote to memory of 1596	848	omsecor.exe	34
PID 848 wrote to memory of 1596	848	omsecor.exe	34
PID 848 wrote to memory of 1596	848	omsecor.exe	34
PID 848 wrote to memory of 1596	848	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe
"C:\Users\Admin\AppData\Local\Temp\fb1300d32582c6cfdf0abd83d5ec78d8672c87c68049f94bd85899af7732e83cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
a509c547ea8025b20b2c7aa560ee6569

SHA1
fcd543027cb1eba7b60c8ac4a444dfbb296cc480

SHA256
8343a1839357974e2f7e55d5647be9c25e14204a5f32a2f312e02f1879e94ba3

SHA512
ac1a9ed6e31d6d48d4267b284ad5b6fa6e879cfc405ae4a62f1c6aadd4039505fe87ae8f0de1601351c9ba2fd5fff4f7e0846fced4122e2e119dfc872b7e05d3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
1f7e40b8e837a98dcf224afcfeaa5d42

SHA1
117d1389ea40deeb883384aaf77adf3b8496910e

SHA256
b0c52ad1848c6b9e7cb91e5e940048ddf26a5aae86a67c16c63edcf65105f90e

SHA512
cddff69dfce273074c5f7fc873ba764e8bf054c309c4b73001bedee5f5c56d89e69ab315fe46d54864323200467785a26a0d414d444a8a619226b4a3a4160233

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
e868c027e83275b0b92b0162ebe92890

SHA1
d4af0310710b98234fbebdee5c06709c475feaf8

SHA256
f3af60e38a8b716429ee59d95bfdfea005460bfbe0fd2bbd7ce01993fab6ebc9

SHA512
3a11551d998775b5dd676e07b817d2c21ebc4039bfa19cdb4f5c5a0b16462fa05f9107ac9f355b230cf4c49361538a12b7dfd987d8aeb0a4dce91521114bb513

Download Submit

Analysis

Sharing