neconyd | 8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345

General

Target

8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
Size

64KB
MD5

1d905d3fd788fac0e3378e27d7f6c23e
SHA1

3ad24ef474429a940184a11ea45dc8ef6faabe23
SHA256

8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345
SHA512

dd8d7effe7f5acb9b8035b5914f4db305f0dadd348adab7eeed564e33c83069df9cb8bd8bb2392825adccc6962d7b7bea3b7dd6a88e74c93005aff35b1cbb744
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAN:4bIvYvZEyFKF6N4yS+AQmZcl/51

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2236	omsecor.exe
1808	omsecor.exe
2384	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1792	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
1792	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
2236	omsecor.exe
2236	omsecor.exe
1808	omsecor.exe
1808	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2236	1792	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	30
PID 1792 wrote to memory of 2236	1792	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	30
PID 1792 wrote to memory of 2236	1792	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	30
PID 1792 wrote to memory of 2236	1792	8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe	30
PID 2236 wrote to memory of 1808	2236	omsecor.exe	32
PID 2236 wrote to memory of 1808	2236	omsecor.exe	32
PID 2236 wrote to memory of 1808	2236	omsecor.exe	32
PID 2236 wrote to memory of 1808	2236	omsecor.exe	32
PID 1808 wrote to memory of 2384	1808	omsecor.exe	33
PID 1808 wrote to memory of 2384	1808	omsecor.exe	33
PID 1808 wrote to memory of 2384	1808	omsecor.exe	33
PID 1808 wrote to memory of 2384	1808	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe
"C:\Users\Admin\AppData\Local\Temp\8312e8a57f9f80cac147f70643f068772cc8620509337d7fd30a6d41c3a63345.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
dfa4656b019a0a8547be798bdd4697ba

SHA1
505168953ac269f870d6374be0273c20a0f63c53

SHA256
cf37ba3dd13db0a995b71c16afa790849fc0e083fe3942692f45ad3af8c1e976

SHA512
b8d518747a72032541923a501be7a3ae9c2a27a26d47c0cef1cc882baa7634faaefe8cdec4037179f1b56bed6484b61a025ef86a443187f2c538e840ea863068

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
2e91d3eb2d9f6da4de07405cd5d1fe71

SHA1
02c21ae3e1eb3b3a19e11a947f73f46d123ec478

SHA256
1f81fbf1a9ba224bc30d8ab2cd12646ae73d31cfedf70e0cf966d2cd51b7bbf3

SHA512
daa3286ab6fda05e2f63dc536359f79772c535da99131660082edc75754b7d58eb71090e0d6fa43d60d198ce32f8568a0db0fbbfe77d4f198b1002d74b83f2a9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
42d1cc968680e00ff6689f515ee0ad68

SHA1
5bcf9edb507dae000ff04222da688377979fe1a6

SHA256
464b76b3a650dc910df96a5879050da7415d5997a924da1363eaad9cb000a9b5

SHA512
5bbaabe8edd14f41957c5b0d6db7f17ec0fc109a0381010103d7ecf29697c5f215494bafbe5f1f01b3dbe60557fa26edc6eb8d985b4cc0e289b96915893a77bf

Download Submit

Analysis

Sharing