neconyd | 8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345

General

Target

8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
Size

64KB
MD5

1d905d3fd788fac0e3378e27d7f6c23e
SHA1

3ad24ef474429a940184a11ea45dc8ef6faabe23
SHA256

8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345
SHA512

dd8d7effe7f5acb9b8035b5914f4db305f0dadd348adab7eeed564e33c83069df9cb8bd8bb2392825adccc6962d7b7bea3b7dd6a88e74c93005aff35b1cbb744
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAN:4bIvYvZEyFKF6N4yS+AQmZcl/51

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2684	omsecor.exe
2312	omsecor.exe
768	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1728	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
1728	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
2684	omsecor.exe
2684	omsecor.exe
2312	omsecor.exe
2312	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2684	1728	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	30
PID 1728 wrote to memory of 2684	1728	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	30
PID 1728 wrote to memory of 2684	1728	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	30
PID 1728 wrote to memory of 2684	1728	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	30
PID 2684 wrote to memory of 2312	2684	omsecor.exe	33
PID 2684 wrote to memory of 2312	2684	omsecor.exe	33
PID 2684 wrote to memory of 2312	2684	omsecor.exe	33
PID 2684 wrote to memory of 2312	2684	omsecor.exe	33
PID 2312 wrote to memory of 768	2312	omsecor.exe	34
PID 2312 wrote to memory of 768	2312	omsecor.exe	34
PID 2312 wrote to memory of 768	2312	omsecor.exe	34
PID 2312 wrote to memory of 768	2312	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
"C:\Users\Admin\AppData\Local\Temp\8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
0b1d65db5faa1a22bebe10a40004a776

SHA1
7cba8ca2fc6c34f45ce4ca96236ad16e8852cab3

SHA256
da62b8c539fa734e3262b3383bd90873d8b44c613f7066e4735d01805c4b6589

SHA512
863fa0116dc67ef31afc5b899499bacfda18a4b214d930840a82284c1c883d8c6b922b9929688ffdc7fcf1daeeb8afb96ea707fd0546618e37d406e393c65db9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
080b5611700b702d58fa4d1d0fa6f2b1

SHA1
2a57150cf7fc171e3218cad140433b5e095d78b8

SHA256
8025937ba4224f3734b49e163ee27d3bf3118a3ddf7e1f97c31abdfa42e702b7

SHA512
4261aaf867f07633c080df36349668798f9b6c96a20558300d45e6cef8daf6a99b95a408a51c60d3a4846a96446b9811d1517dd228625007ef61b880b18fb3d2

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
dfa4656b019a0a8547be798bdd4697ba

SHA1
505168953ac269f870d6374be0273c20a0f63c53

SHA256
cf37ba3dd13db0a995b71c16afa790849fc0e083fe3942692f45ad3af8c1e976

SHA512
b8d518747a72032541923a501be7a3ae9c2a27a26d47c0cef1cc882baa7634faaefe8cdec4037179f1b56bed6484b61a025ef86a443187f2c538e840ea863068

Download Submit

Analysis

Sharing