neconyd | d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e

General

Target

d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe
Size

88KB
MD5

b4e42e9844be91c103e9e9a3127a6647
SHA1

f84f2a9f1a4da86f68cd448f8c63d447f7cec864
SHA256

d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e
SHA512

a135f058a215dc41327ca9de171d4663179ac3a0ece2d80a2f5a16204aa60d01729db1fa64b5d462148270d5cae485932bff6d04fd2eafbeb04ce9fa67478e32
SSDEEP

768:xMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:xbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2360	omsecor.exe
1280	omsecor.exe
1644	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
764	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe
764	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe
2360	omsecor.exe
2360	omsecor.exe
1280	omsecor.exe
1280	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2360	764	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe	31
PID 764 wrote to memory of 2360	764	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe	31
PID 764 wrote to memory of 2360	764	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe	31
PID 764 wrote to memory of 2360	764	d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe	31
PID 2360 wrote to memory of 1280	2360	omsecor.exe	34
PID 2360 wrote to memory of 1280	2360	omsecor.exe	34
PID 2360 wrote to memory of 1280	2360	omsecor.exe	34
PID 2360 wrote to memory of 1280	2360	omsecor.exe	34
PID 1280 wrote to memory of 1644	1280	omsecor.exe	35
PID 1280 wrote to memory of 1644	1280	omsecor.exe	35
PID 1280 wrote to memory of 1644	1280	omsecor.exe	35
PID 1280 wrote to memory of 1644	1280	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe
"C:\Users\Admin\AppData\Local\Temp\d8f46bd7cfa5973d17ffe435e76be71467dd2e5f8d7bae258e87454e955bbc2e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
c362e0b3465384a401ff47da27cb1595

SHA1
0b3ccd1e857c75a988c7e00ce496e945857922dc

SHA256
28d6f888627e4bd17f0db69f7baa1eb42640a459c130f02644d79edc5f46c973

SHA512
77ff21e5fd913e47c90bf9b93358fa0efd253d7e3a646f35263c85020949f30c061d51861500edbc67f17b201747c60b58126407dab308a123dbe8b9b4c6c023

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
f3cd9703126d0ae1a3093dd58914bfde

SHA1
e896b58d50241c1aefa4fa89174316721061d7eb

SHA256
1c1631c5dd27a2129ac2a7b75eeaf1d0f194f88010ff49da6e8b1fec10962376

SHA512
38e03759b47b9f1be06e013ed8fba53e0b0f76d50fcf3f3ca1a91586a6807c03d56ffd82b7833e1ab2846b84596a364ac2866d948db5f145673cc9d70fea0399

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
3196841e797c4111ba580fb4ae4cf9bb

SHA1
06f8ec54dc9f315baa3b8e1beeabd4a8e7d99d4e

SHA256
8635a5f4fe9e796115f053490d96bc0ef16c8df91e7adbd49012dcd8fd438549

SHA512
495e69613e160102629b982b3b0d26614266d87c156d1dfd9563f7c7f452341ac797849b27378ea65e1b83af813f8109e27d44cd8a54eab1ebf99be24a5ed4ad

Download Submit

Analysis

Sharing