neconyd | f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a

General

Target

f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe
Size

64KB
MD5

faa1f0708a24f1248f743e820a405109
SHA1

a412e6fab7fb4dcdb7f5d8c2994649380056e7a0
SHA256

f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a
SHA512

261f2f1c3982146fbef8e58b7cc0bd507af25e70f40bc3cb382f8f161d3409d17d10ebb742dc7e5c1a95482273cf7843af92f11ac5c7c739254f1e2732d3d9e8
SSDEEP

768:KMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAN:KbIvYvZEyFKF6N4yS+AQmZcl/51

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1916	omsecor.exe
3008	omsecor.exe
2660	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1064	f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe
1064	f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe
1916	omsecor.exe
1916	omsecor.exe
3008	omsecor.exe
3008	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1916	1064	f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe	30
PID 1064 wrote to memory of 1916	1064	f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe	30
PID 1064 wrote to memory of 1916	1064	f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe	30
PID 1064 wrote to memory of 1916	1064	f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe	30
PID 1916 wrote to memory of 3008	1916	omsecor.exe	32
PID 1916 wrote to memory of 3008	1916	omsecor.exe	32
PID 1916 wrote to memory of 3008	1916	omsecor.exe	32
PID 1916 wrote to memory of 3008	1916	omsecor.exe	32
PID 3008 wrote to memory of 2660	3008	omsecor.exe	33
PID 3008 wrote to memory of 2660	3008	omsecor.exe	33
PID 3008 wrote to memory of 2660	3008	omsecor.exe	33
PID 3008 wrote to memory of 2660	3008	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe
"C:\Users\Admin\AppData\Local\Temp\f5b1ea19507d9dfbbac7555162dbb673fb3e6506e6775f8a9c90de0b20bb895a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
1c347f2656a9aa3867ecb159f99856d4

SHA1
3d88ae5cbb444b98c515e00507cd3d2063d42d51

SHA256
48e8a3f4939995f5ff2fc1fa5a8e2ba03897d0fff924f28c51ed3d55a07b98a9

SHA512
92e832605d20876945463d924a993eabae5aa9a74f2816bf71949466ceae2013f09c50ec3808e79943ef7a3c2b7ed81e7155c8377b3e62885c73cb652a9f080c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
5da73bf637fba84a7388adb2617192e4

SHA1
fe7f4bed7f004a7efa3e9e4e2464e20e18b36a59

SHA256
082fd0f9573aee5e62f395c69fb62924e5c0c48ee7d223954c42df160426f755

SHA512
c5c0132f756bcd74da7f00463d8a4ca999dcbce4cd28492091291cd33b6a45df3f85578bfdde008b91a6bf8e8af40e817e13beef5a985ad21e7c2cf482c93185

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
67bee810250bac5845ca7003456d51f7

SHA1
5e97e1d2dbb68ca9a330c79046fdd1e5fbadd892

SHA256
930c9d0a601a29ca5d46277b5f0139f48a1b12ad6aedb3e0f918f35aa997aea6

SHA512
ed7b35e24b5b89456a6fbdea44ec26e7ba33ef2e11bd00621f76cb603d744f339fd71d83b3e2f4da230b41c56536d0c33443aba9473caa3913127d09a55eeb88

Download Submit

Analysis

Sharing