neconyd | 2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46

General

Target

2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe
Size

80KB
MD5

c16fb9eb68e644392b469da041ce9d80
SHA1

755b3886c9fdf506a95caa4be7029e2e734090ba
SHA256

2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46
SHA512

a112d0bd93ebaf47fb6922a7b6db5ffcf4ef8e3eaecb9899838baeac39094d90517ea10c5e8fe2d8b962ac7e9245e111515fec1eafe3e7e341060d78b65da525
SSDEEP

768:3fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA6:3fbIvYvZEyFKF6N4yS+AQmZTl/5i

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2564	omsecor.exe
800	omsecor.exe
2660	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2112	2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe
2112	2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe
2564	omsecor.exe
2564	omsecor.exe
800	omsecor.exe
800	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2564	2112	2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe	30
PID 2112 wrote to memory of 2564	2112	2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe	30
PID 2112 wrote to memory of 2564	2112	2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe	30
PID 2112 wrote to memory of 2564	2112	2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe	30
PID 2564 wrote to memory of 800	2564	omsecor.exe	33
PID 2564 wrote to memory of 800	2564	omsecor.exe	33
PID 2564 wrote to memory of 800	2564	omsecor.exe	33
PID 2564 wrote to memory of 800	2564	omsecor.exe	33
PID 800 wrote to memory of 2660	800	omsecor.exe	34
PID 800 wrote to memory of 2660	800	omsecor.exe	34
PID 800 wrote to memory of 2660	800	omsecor.exe	34
PID 800 wrote to memory of 2660	800	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe
"C:\Users\Admin\AppData\Local\Temp\2570f2938a8accbc41424134e0347d45a8779b36fffdd8aa104f02cd3fe04a46N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
5eec71668c62a161c89cdc13c3b585fc

SHA1
29123b1930f15e8a3f4cbc16d114f6571251569a

SHA256
0c1aed1bf8a561292de3a36446b0359d78f3beb4d8d3241ed47fd5320ec1663a

SHA512
d5f398802e0ef671af181c75ceed8fb9cb1650c5a4a5a79ac64bd2068465e5da67d80a9a751357b75af2f932d9b1d9489a0fe11e1402992a8052a2a6487fd556

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
fba539758a5097a451b8267e94064134

SHA1
f24b0327bf471d5dc41cff9039663f65428e2517

SHA256
bc5e5e18a5c1cbe27e73fd10303fd5c06b9e52f95f364787305aa9a394308d84

SHA512
4e70d2018e1d8b4b72eb82062c23b09086b027940ee1447870ff558e94438946090f0ac8b6cf402deabab4e2f0be88efa4d71b5f6fdb9ec3df09d3e61529d35a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
65052ab36c722e4d042c9c524352f8f8

SHA1
3fdef0564c555031a7a7a98358322814e2e75436

SHA256
30b7101c378ef00ea96cc5dc29259d5315ec2854efdf82dcac79339874c4a259

SHA512
f07bebe44f09355aa150536f31d4da839d225e2c92d656696a6fe4f5a309ed0c1cb98e07a3a8ed89893eca758ef94989ce44576e3fc25aa8ac2053aad411016c

Download Submit

Analysis

Sharing