neconyd | 432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1

General

Target

432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe
Size

84KB
MD5

e1be79886e6f2041654f4fc69175f206
SHA1

910f36d2b197e4e6b02c6d727a8558e09ef77217
SHA256

432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1
SHA512

317c23fcf89d49fea1f527a5133e992db09d60484232f10835f12cbe75611ca4c15297661636948b08e30c9dce0fcf8a86972988674153e9f071db8386077139
SSDEEP

1536:Ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5z:gdseIOMEZEyFjEOFqTiQm5l/5z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2924	omsecor.exe
2308	omsecor.exe
2980	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2656	432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe
2656	432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe
2924	omsecor.exe
2924	omsecor.exe
2308	omsecor.exe
2308	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2924	2656	432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe	30
PID 2656 wrote to memory of 2924	2656	432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe	30
PID 2656 wrote to memory of 2924	2656	432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe	30
PID 2656 wrote to memory of 2924	2656	432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe	30
PID 2924 wrote to memory of 2308	2924	omsecor.exe	32
PID 2924 wrote to memory of 2308	2924	omsecor.exe	32
PID 2924 wrote to memory of 2308	2924	omsecor.exe	32
PID 2924 wrote to memory of 2308	2924	omsecor.exe	32
PID 2308 wrote to memory of 2980	2308	omsecor.exe	33
PID 2308 wrote to memory of 2980	2308	omsecor.exe	33
PID 2308 wrote to memory of 2980	2308	omsecor.exe	33
PID 2308 wrote to memory of 2980	2308	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe
"C:\Users\Admin\AppData\Local\Temp\432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
8e689a129eeefb32d8d710a303d8031d

SHA1
199bdfad5e9d6d0f25d912cf86200085b6ce6143

SHA256
ff2d97db9727efdc4ab58dbcd734fe4109994d4467c754b994e15613078ef3b8

SHA512
d67b1f7f3708dcfe9d899fa2b190baf31b41157fea2d766af311cb510de1dd12a3075a7e9da7e50f518ef7adc6cfa95d27a1cba38c4ba230333b08135901d45c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ab6ea08e575e283dd6f94d1b4aeeafab

SHA1
8bf6b9c8326b82bcb5bcb96db932b03277a9d61b

SHA256
671494aef69e4e10dca6b7e069103fc8a7dd7df10dd01f68dd012da34189cab2

SHA512
80b8ad16b4481d131f0e53208a6ecf8e9ec3a557c686849189edcb10b8a85e14890fbf7b1668cb4a1ed6ccf28012a3750085f1d0fa6788be48be787427b6c639

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
6ead708079b306581edf4fad706ef245

SHA1
674fb460e799e8e2a1c53828b759296f24c963aa

SHA256
3265a3add42910c8787015a06aa49996e03ee3ea459412174331200368f11a88

SHA512
2d530adb45c86c639d9c2af189ba9bf3f300ed8fdaccfa75383d11e0e2eeff2f2d2bdcb1748d8b862116af7bce8dd0babde8508286a1f94beba1c18a8324b34d

Download Submit

Analysis

Sharing