neconyd | f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503

General

Target

f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe
Size

72KB
MD5

ad3f7111fc17af8f76717c48d7242ad0
SHA1

bb75ce277bc002c6552e0c82bbdc4bc94071b208
SHA256

f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503
SHA512

f71be5a8b044520ce15bafc71eec67c43128ae897b1f819575c3d07ac601b9066080dcb0d5aa924e9e920f107eee73a72dddadee332f15d6a7c4c366d6195d5d
SSDEEP

1536:Fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:tdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1736	omsecor.exe
572	omsecor.exe
2884	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1908	f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe
1908	f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe
1736	omsecor.exe
1736	omsecor.exe
572	omsecor.exe
572	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1736	1908	f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe	30
PID 1908 wrote to memory of 1736	1908	f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe	30
PID 1908 wrote to memory of 1736	1908	f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe	30
PID 1908 wrote to memory of 1736	1908	f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe	30
PID 1736 wrote to memory of 572	1736	omsecor.exe	33
PID 1736 wrote to memory of 572	1736	omsecor.exe	33
PID 1736 wrote to memory of 572	1736	omsecor.exe	33
PID 1736 wrote to memory of 572	1736	omsecor.exe	33
PID 572 wrote to memory of 2884	572	omsecor.exe	34
PID 572 wrote to memory of 2884	572	omsecor.exe	34
PID 572 wrote to memory of 2884	572	omsecor.exe	34
PID 572 wrote to memory of 2884	572	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe
"C:\Users\Admin\AppData\Local\Temp\f190d3b6803a90cd35d64e70379a33d9886e1e1041365dcfce8c6a32a1bd8503N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
b566982b6bb2c8f16a696aa8c2aaeeaf

SHA1
b62c4f1d4a70f39b39076555fbf8c29952afbf78

SHA256
78c5de0aaa6b9120decd6ef0c0c7a490a8e4512dbfce10ad52b4746b5b638e8a

SHA512
df788729ed1f1cb753f6d9d9a5fe5c0681917a79bdb5b6f7db3db5504bca8567a1a6f4a483a0dc8826b5bd9362759676b05f0b8bab0fde229a583cd6ca408476

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
58e084afbfbac2f1c3febb2d2765112a

SHA1
cbb0a4c24a64c2928727ec6e4fbe3e953610431e

SHA256
dbff5b93167762e6fb718171498f753f2b35be694997d15e9e33717880512814

SHA512
0bd9bd851f7c910996947448959643127bf74e488488ec062c4e58fc5f9cc1c993477eedca7f9c381d03906bc0923acf4c2c46a75bfb62cfffe7fa9aca412eb3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
849b427785f576eccaf592cefc77f07f

SHA1
ca2c6006b3f82111745128736253bbdd06cf683b

SHA256
52ffa443de7194e79f59ea8e63358488dfbd4a80905347248f789c38a41ac2a3

SHA512
70a8919fe826d7f27b4ca51442100ae70bfa028476f3b2d92649cb9ad1873c8aa51e3384d9368501e3ea4f143d66f623d763d8da79373e88d481622fbd1e9f28

Download Submit

Analysis

Sharing