neconyd | d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0

General

Target

d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe
Size

88KB
MD5

c1a8b1d05ae11a59776d46cedaf875bc
SHA1

3355665a13d0d85ad329d10918cc433944226db0
SHA256

d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0
SHA512

661ca0c659bf574985c2fb3e5d8cbd35314e93961ce852738d246040e05686d0b7d1a209fa6d8ebd49b62116ef15dcb67b2c48a920ee5ff9930638844b21a61a
SSDEEP

1536:jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:DdseIOMEZEyFjEOFqTiQm5l/5R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2916	omsecor.exe
2564	omsecor.exe
3024	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2868	d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe
2868	d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe
2916	omsecor.exe
2916	omsecor.exe
2564	omsecor.exe
2564	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2916	2868	d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe	30
PID 2868 wrote to memory of 2916	2868	d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe	30
PID 2868 wrote to memory of 2916	2868	d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe	30
PID 2868 wrote to memory of 2916	2868	d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe	30
PID 2916 wrote to memory of 2564	2916	omsecor.exe	33
PID 2916 wrote to memory of 2564	2916	omsecor.exe	33
PID 2916 wrote to memory of 2564	2916	omsecor.exe	33
PID 2916 wrote to memory of 2564	2916	omsecor.exe	33
PID 2564 wrote to memory of 3024	2564	omsecor.exe	34
PID 2564 wrote to memory of 3024	2564	omsecor.exe	34
PID 2564 wrote to memory of 3024	2564	omsecor.exe	34
PID 2564 wrote to memory of 3024	2564	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe
"C:\Users\Admin\AppData\Local\Temp\d10393ff9c9cce28f2f0b4623cb56b538cc9cce891990c4b0b6e0187d19abba0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
ce2666ebdcfc9296d9556753ec77534d

SHA1
f94d662a12aa49409a158313fc22f5398d443630

SHA256
f741cafa3c6ae6991676bb12464450371e933e71fa5f21741b1e8bc2dd5679e8

SHA512
5d49ff0ab825a86e4e6a89a3e2208c7aa76008223b459fab709fc23ca0aaaf04f8d2a23d4fbf783abb129d1a6eca5070777617007657fe37b30544842d1ec2ee

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
a9e1e89cf8ed6b013872e6b423df8af3

SHA1
2b080f3479f2703b9b260f0a57bcf8f73cbc9dcd

SHA256
d92f5dcaa2608337c521e4ea097b63e2b7c56f8a23cba39758bbe799e7823edd

SHA512
61476d6aa9d32a6bbd21fb544d16e71125ba1ede66698a8e004b2b9fa0543dbdd2fe5f8cffaea6c33426001b1e9e73b4f6cbba6d69539560979ea6189331c794

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
3eefadfebbf74c45a77cdf6589d4759a

SHA1
e8fb93b1b75fa4baa124310745728d9201a51afd

SHA256
59e88a1342562b40a3e6a3f9f7229e78fb54e9f8b600fd3572f7a358781b5afc

SHA512
3128dda8f697d46f933d0901241ca1652680d3f6f2d08e46d8adc5109ebbbf17bdf8ee0aaf80baadcaa24dba4547913eaf748a8437077cda75c559a4b5f8c68c

Download Submit

Analysis

Sharing