neconyd | b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4

General

Target

b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe
Size

76KB
MD5

54671b1978545adcabcd1af11ee404fc
SHA1

509ad6c0bcaae5b039072de1901573ebdb593afd
SHA256

b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4
SHA512

dec6d7c69fc5edad231c81f3a94cef5fc36725ddf0ae6d2b40500aab6d9ffa377bec85b72520303b378818c4b34586a22c4db8586e47d1231fbcffde4fbaf780
SSDEEP

768:KMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWr:KbIvYvZEyFKF6N4yS+AQmZTl/5Or

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2772	omsecor.exe
2336	omsecor.exe
2892	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2764	b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe
2764	b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe
2772	omsecor.exe
2772	omsecor.exe
2336	omsecor.exe
2336	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2772	2764	b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe	30
PID 2764 wrote to memory of 2772	2764	b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe	30
PID 2764 wrote to memory of 2772	2764	b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe	30
PID 2764 wrote to memory of 2772	2764	b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe	30
PID 2772 wrote to memory of 2336	2772	omsecor.exe	33
PID 2772 wrote to memory of 2336	2772	omsecor.exe	33
PID 2772 wrote to memory of 2336	2772	omsecor.exe	33
PID 2772 wrote to memory of 2336	2772	omsecor.exe	33
PID 2336 wrote to memory of 2892	2336	omsecor.exe	34
PID 2336 wrote to memory of 2892	2336	omsecor.exe	34
PID 2336 wrote to memory of 2892	2336	omsecor.exe	34
PID 2336 wrote to memory of 2892	2336	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe
"C:\Users\Admin\AppData\Local\Temp\b9812e755a69b3af67d692ba4d2cfe5c6c9bd114ae8d892e03dd90d5e6463dc4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
698a1d374c0d6a15bd6c5521b98a4fab

SHA1
32d253ecd5780114899522bd2f70ec603e1a2d16

SHA256
a6fc565806135989a1e99a3ef9e8619da84dc49d96335b7d08c7c0c55e34a184

SHA512
10375adaa510ea9d86c45b6cc603b8516e6b236a3d6b804c1a9ee9ef4159d4e90e602069bd04c396303fcd95dc8aeaa4362bec7b49ec51976f2a4453f578f052

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
fb69375e151864010137492993111414

SHA1
e739d54c8bfc82648c733e804b911d2a75a0b311

SHA256
4240db1f62eae917fa92609a65faa918436e66f946128817e63831a8c586bfd8

SHA512
79cb437a7016f7b9ba905ab1355c419fd5fe0f7faec85ae8e2518bc3b6927a2a4158e242978173be82cb45e24c2ab2eeac38e850811e90920a848609b7ca5e34

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
7a47e135a722921d266adfd7099b2cd7

SHA1
68bc5c44dea200170b2bbc8ed92b2fe9ba58d888

SHA256
d828331f3ae8331c56fdabdf10df3541380515566e6a588293d358770be4cae7

SHA512
1de08c6cfd2827e59f6247e3ba4173ed0cd15951c5825f33ca97cafe9320809f6a83f781b43e3a8ca862bb8aecf12bc2e254f33ac8b9937e7d44f5006991f540

Download Submit

Analysis

Sharing