neconyd | fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10

General

Target

fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe
Size

64KB
MD5

6db5e657551a718e029cf9d8095b49e0
SHA1

43a66b86b300ab632ad08926b92a4ad95998c000
SHA256

fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10
SHA512

4ccdfecee3c93823584f5cf9c101b0658320f555e6bc3c54c9b106f56191b91249d2d7ec4460f21ce24db8fa72498725c4390f1cdd52195e3fc9eda76a22fa87
SSDEEP

768:kMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:kbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2760	omsecor.exe
2340	omsecor.exe
776	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2692	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe
2692	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe
2760	omsecor.exe
2760	omsecor.exe
2340	omsecor.exe
2340	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2760	2692	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe	31
PID 2692 wrote to memory of 2760	2692	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe	31
PID 2692 wrote to memory of 2760	2692	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe	31
PID 2692 wrote to memory of 2760	2692	fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe	31
PID 2760 wrote to memory of 2340	2760	omsecor.exe	33
PID 2760 wrote to memory of 2340	2760	omsecor.exe	33
PID 2760 wrote to memory of 2340	2760	omsecor.exe	33
PID 2760 wrote to memory of 2340	2760	omsecor.exe	33
PID 2340 wrote to memory of 776	2340	omsecor.exe	34
PID 2340 wrote to memory of 776	2340	omsecor.exe	34
PID 2340 wrote to memory of 776	2340	omsecor.exe	34
PID 2340 wrote to memory of 776	2340	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe
"C:\Users\Admin\AppData\Local\Temp\fb72a92a19fbd7fafc5cf2bf230c7b8187efd5d5dcbc0ca431d80677b8bf3f10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
ccd70b4c481552f8f98d8baaee4193ab

SHA1
9756ae9490e3b16fd705d11d0fbd0841a4027fcf

SHA256
1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822

SHA512
8b99e51e809dce49a24b6761237777d0f6221b2c26cabdc045cde3f1582d455d2e0d6f1acf13801d6ef885465200e39ee74a534596162f5aae9476c70fd2b380

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
f275b45a5e7dddc9bf0996804202c1ad

SHA1
1af364bf6b6aaef8bf7d79625f96dd1840ce1989

SHA256
8da83ca4f290b82fa8e3d760f37aa8a646f09ead11ce30af52c9fada53135b9b

SHA512
5856b93dde8a427e63350cef4c248ca01b39ffe4df2bd34dafd9c34bdd4c3c36b571999f840508e070e9c99ce6e068ff3b50d66e8575012e434b5c0edd648f98

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
2092d4fa13d60eba92978dafe6e06d28

SHA1
7114300b1ad11eaac4512b073633ac6fe336598b

SHA256
e8fcc1435ac57f32e8ad0deeb2438e2357eb16bfa87b1821277f4aff3856f80d

SHA512
7fe816ed0cc3ed0d26aa51ce97c204d14bf60a2a155b473e68ad6636e792a5d8cd3e7e550a28d29f8abe35733cee719b587f3c7d6de23c2dd642e72a8f340298

Download Submit

Analysis

Sharing