neconyd | 1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822

General

Target

1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe
Size

64KB
MD5

ccd70b4c481552f8f98d8baaee4193ab
SHA1

9756ae9490e3b16fd705d11d0fbd0841a4027fcf
SHA256

1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822
SHA512

8b99e51e809dce49a24b6761237777d0f6221b2c26cabdc045cde3f1582d455d2e0d6f1acf13801d6ef885465200e39ee74a534596162f5aae9476c70fd2b380
SSDEEP

768:UMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:UbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2512	omsecor.exe
2000	omsecor.exe
1256	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2500	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe
2500	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe
2512	omsecor.exe
2512	omsecor.exe
2000	omsecor.exe
2000	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2512	2500	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe	30
PID 2500 wrote to memory of 2512	2500	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe	30
PID 2500 wrote to memory of 2512	2500	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe	30
PID 2500 wrote to memory of 2512	2500	1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe	30
PID 2512 wrote to memory of 2000	2512	omsecor.exe	33
PID 2512 wrote to memory of 2000	2512	omsecor.exe	33
PID 2512 wrote to memory of 2000	2512	omsecor.exe	33
PID 2512 wrote to memory of 2000	2512	omsecor.exe	33
PID 2000 wrote to memory of 1256	2000	omsecor.exe	34
PID 2000 wrote to memory of 1256	2000	omsecor.exe	34
PID 2000 wrote to memory of 1256	2000	omsecor.exe	34
PID 2000 wrote to memory of 1256	2000	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe
"C:\Users\Admin\AppData\Local\Temp\1d5f315f0f442e556e23a46dca91e723cfe0f7fe6a89246602a703c74d064822.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
692ef024e4029fa12d90ec52095e70b6

SHA1
7c144caba9eb5e0e5a0e901527500643077340ac

SHA256
e19b4500eda3d7bf0f4171e235edc85ea9268271d99be0d644c7429a0ef74907

SHA512
9708867571e3451d4630161b2e268759507667dee399f820ed9325943c7816f353ba2fee08c64d52723e3643e1f2c42ec0754f1af2d8eec746639146f8479104

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
ee7375d68338f0bdbe6bc1a32defacca

SHA1
c07dc87d85fb8b06ec723c82c393124ebd421d16

SHA256
8a3c6a4d3af9bb182688198f2e9de8a8cc0e0ab845def9bdb95dd7139fce07f6

SHA512
e43b1b20b0a3550506621f173302aa2b3c53d73c6d0d9f3baed42f07a693ded39644958f9507309a1320a8d34164bf5f5bc5602a95a4cac2a1c43f6aa31bbf29

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
ac9fcbac4f04830cf542dc6be9c016d5

SHA1
39707085ae51eea2435ed795ac24fc526f6a527c

SHA256
95c955606069f4316da11c000c45d795ca3199b0ba3ef379971105d47656a48f

SHA512
4acc128080b4080681501c73a2a892b63f7454f3b7b07d94eb25853a0615c2576486368a5bfb8fcf3a47169f98e178c27a6f8001e59457780a162c21d35dda78

Download Submit

Analysis

Sharing