neconyd | d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4

General

Target

d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe
Size

61KB
MD5

4e72910783d6d50b3057fb4c867c8a30
SHA1

41e7631e7e2d54e224ddb8aa4d11250037e37fad
SHA256

d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4
SHA512

c528af3f7dff28c1d077ca67f54f6ff1c6585ce2a0f9b36b6cd3777a7ffc2fc000cddb1eb631667c528ab1a53815c9125f9ad94e6faf46e892b1ba5d0dcad653
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZOl/5:7dseIOMEZEyFjEOFqTiQmYl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1068	omsecor.exe
1696	omsecor.exe
2780	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1504	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe
1504	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe
1068	omsecor.exe
1068	omsecor.exe
1696	omsecor.exe
1696	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1068	1504	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe	30
PID 1504 wrote to memory of 1068	1504	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe	30
PID 1504 wrote to memory of 1068	1504	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe	30
PID 1504 wrote to memory of 1068	1504	d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe	30
PID 1068 wrote to memory of 1696	1068	omsecor.exe	32
PID 1068 wrote to memory of 1696	1068	omsecor.exe	32
PID 1068 wrote to memory of 1696	1068	omsecor.exe	32
PID 1068 wrote to memory of 1696	1068	omsecor.exe	32
PID 1696 wrote to memory of 2780	1696	omsecor.exe	33
PID 1696 wrote to memory of 2780	1696	omsecor.exe	33
PID 1696 wrote to memory of 2780	1696	omsecor.exe	33
PID 1696 wrote to memory of 2780	1696	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe
"C:\Users\Admin\AppData\Local\Temp\d3469837ff9105d7ade82fa1382eb7635ee943afab7634022238cbd07146f6b4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
19c85f2eea2ea1f59c9af20bb904ed77

SHA1
304a85f8b77aa32b8349ed8241f57a8951e64ccc

SHA256
eb55527b323f50fe4564a6411b45c371539042d52bcba9f86b053f4028d06a19

SHA512
39bc4281de9ac7c774d619e817bf03c6f2826f6e02def8f688a2f468270fe68c710cdba56c2b067def6814c59b8b413147af841646ab074cd7c1d9b720a437ee

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
8f783c4b314691aeb8283f198bd22237

SHA1
d5c81e294782572105f42cb0b39732bf50ed45fb

SHA256
1e2d2e4af8e9b2ef2a9f62d77727462c0fdc1a2ed27270a4e54420af5db3e4db

SHA512
894da95f38705c1278921b681240754416f6147d17c2a31fd58357d21d5eaade75ebcaf4c1ec874eb4421b60e16d28ab5dbdd8d0c97b69b9579b963f85156364

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
14680d86582cf3d4e4146c533461766f

SHA1
9e59b53f87d23a31b705b8abdd7ee95a338f93e4

SHA256
7fbc40a7e2c4576537ea97c44cd5339e8bc89c88f35cd1645cf7ab98e4ac012b

SHA512
a74b7f040941b012cef3b63a05f7a63f58f286875b331e3b78679bb8b882c1e5d7829d12109f0d61069fb201c70246313fc84f9203e048805e08b5441a5631c0

Download Submit

Analysis

Sharing