neconyd | f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990

General

Target

f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
Size

89KB
MD5

ba2d45f4f924dd7d4cfe2157134938c5
SHA1

eb14ea5f387dfb8e580035b6f1b9d1622feaea60
SHA256

f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990
SHA512

65ee7d3abb9da0489e47e89d0d6724b7fc5ea0937d1863fa6f111013a22294b1176ab4b371fc95db539f45cadf43e69c9a1c6a47a246268a356e8e70d641283c
SSDEEP

768:rMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:rbIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2116	omsecor.exe
3024	omsecor.exe
792	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2380	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
2380	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
2116	omsecor.exe
2116	omsecor.exe
3024	omsecor.exe
3024	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2116	2380	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	30
PID 2380 wrote to memory of 2116	2380	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	30
PID 2380 wrote to memory of 2116	2380	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	30
PID 2380 wrote to memory of 2116	2380	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	30
PID 2116 wrote to memory of 3024	2116	omsecor.exe	33
PID 2116 wrote to memory of 3024	2116	omsecor.exe	33
PID 2116 wrote to memory of 3024	2116	omsecor.exe	33
PID 2116 wrote to memory of 3024	2116	omsecor.exe	33
PID 3024 wrote to memory of 792	3024	omsecor.exe	34
PID 3024 wrote to memory of 792	3024	omsecor.exe	34
PID 3024 wrote to memory of 792	3024	omsecor.exe	34
PID 3024 wrote to memory of 792	3024	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
"C:\Users\Admin\AppData\Local\Temp\f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
1c142ced09d9ee8d8a2ca5b89d3d2694

SHA1
30b22461f2e030abe0d4f17c4cbb8168a1d852ce

SHA256
d011ec79d50ab9f0881bd5f83b9e802360eab0b6855057728a0a1a3a4abbe68d

SHA512
f32ee5b947b386b31d624be1f97c4d1ebfc3875db715f0f0f38dac3a2f7064875a12bffda4f892189137674291330dd450b0ff41b5115fd0e0e5b19ad6afee51

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
e28b1a8ca518c11843acb6079f18ef00

SHA1
3cc5bbc98578d231295e59ced8fcc1a97fdc85a6

SHA256
a1ac4745c96631ddb2bb6a22f7519836415b370e542d3a3a17d8c4861e9bcbcc

SHA512
1c8a08b8b7d2557e05fe79e7d005ac34814fee88d5c65102726a6b641a73000cc179b3cad642a7bdeee933eda42e0f24d64d9b43c4e5a375b844c48771dc5a20

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
99befd51f52eb394c1c356299b6ce190

SHA1
97afde35d637238d3f103bfcedc0ba3994190a9f

SHA256
6bb8547909db6f166c1885370ef8e9485e0b2f422b04a710873e562c318ddaf0

SHA512
143aa465cb9b14d20c49725e72466d48cd8dfd618c82b89a7b8226ac5dededcb31e4d23559e583cc955520d55adccd9060ba8af756923bb52a14a4d6396fd00c

Download Submit

Analysis

Sharing