neconyd | 1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76

General

Target

1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe
Size

61KB
MD5

58a9460b37d9363bb9c9dc9c5c4e42de
SHA1

bc0c589985451149f971676617412a06ebe4d143
SHA256

1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76
SHA512

7b9d4c51aa37375c546cc72fc7f3447dd0206749c85cb9fc0f26391886c6c31a4775b89a68f64d7a2de64ebd0b1ee99295565d91a5adb791d82e1872f4e21fc7
SSDEEP

1536:Pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5t:ndseIOMEZEyFjEOFqTiQmUl/5t

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2520	omsecor.exe
2980	omsecor.exe
2672	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
388	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe
388	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe
2520	omsecor.exe
2520	omsecor.exe
2980	omsecor.exe
2980	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2520	388	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe	31
PID 388 wrote to memory of 2520	388	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe	31
PID 388 wrote to memory of 2520	388	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe	31
PID 388 wrote to memory of 2520	388	1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe	31
PID 2520 wrote to memory of 2980	2520	omsecor.exe	34
PID 2520 wrote to memory of 2980	2520	omsecor.exe	34
PID 2520 wrote to memory of 2980	2520	omsecor.exe	34
PID 2520 wrote to memory of 2980	2520	omsecor.exe	34
PID 2980 wrote to memory of 2672	2980	omsecor.exe	35
PID 2980 wrote to memory of 2672	2980	omsecor.exe	35
PID 2980 wrote to memory of 2672	2980	omsecor.exe	35
PID 2980 wrote to memory of 2672	2980	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe
"C:\Users\Admin\AppData\Local\Temp\1f6a1cd3da3e91060569eeb65e387f5e4cef513d15ffc7daaad302ea5d6b3f76.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
79390a1d4d7d0e1bab7219fdf0906a83

SHA1
8671ba7d17b0586cceec1b49965ce092e32f277c

SHA256
ab3ff9ce8dac43f4f2c04ba9ca4e977628c73b5c0670090809f01a5feeed32f1

SHA512
d13971d261676917e8ac730a47e8c842a14402246b37e50740758f7388c702637089addc2e73efd95efd39c68d9de6f380ba806e7b340196823c4709cb16af35

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
06bf00160dd4a0c838b1be61470d6048

SHA1
17c6a0d5d2c05af48ffe04c40a51dc4f5745fb6b

SHA256
15311f2ec37f2a706876146327afae37baaacbf8b3e3c7264a428802a738e68d

SHA512
1c51d96bca3f347005abe7f3643ab51be0cc696180e9f5d7d7a3ee93b6639b9d09b196f985dbf8e9d6c9f459173fd6f79d93d748820abdda3a0b609f02b554ff

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
188bc1fcab7230ce55b356aa1ea4475f

SHA1
d6c18bafd557bde703c5f524f3290627e5a38a99

SHA256
b9806286b0dae638ae189fa7bee5e17f3f1e90bf2c01361fd3b73dc4f7dfa6e7

SHA512
5e5c7c7990e13ba65b604319c59643e7be55eb8ac270a83478c5f9d1c50b8e9e0a6c924d7daaeb537e733d4f38298d30db3aa19754e59bdee7b2d7754f24a841

Download Submit

Analysis

Sharing