neconyd | f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990

General

Target

f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
Size

89KB
MD5

ba2d45f4f924dd7d4cfe2157134938c5
SHA1

eb14ea5f387dfb8e580035b6f1b9d1622feaea60
SHA256

f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990
SHA512

65ee7d3abb9da0489e47e89d0d6724b7fc5ea0937d1863fa6f111013a22294b1176ab4b371fc95db539f45cadf43e69c9a1c6a47a246268a356e8e70d641283c
SSDEEP

768:rMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:rbIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1984	omsecor.exe
2592	omsecor.exe
1920	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2024	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
2024	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
1984	omsecor.exe
1984	omsecor.exe
2592	omsecor.exe
2592	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1984	2024	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	31
PID 2024 wrote to memory of 1984	2024	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	31
PID 2024 wrote to memory of 1984	2024	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	31
PID 2024 wrote to memory of 1984	2024	f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe	31
PID 1984 wrote to memory of 2592	1984	omsecor.exe	34
PID 1984 wrote to memory of 2592	1984	omsecor.exe	34
PID 1984 wrote to memory of 2592	1984	omsecor.exe	34
PID 1984 wrote to memory of 2592	1984	omsecor.exe	34
PID 2592 wrote to memory of 1920	2592	omsecor.exe	35
PID 2592 wrote to memory of 1920	2592	omsecor.exe	35
PID 2592 wrote to memory of 1920	2592	omsecor.exe	35
PID 2592 wrote to memory of 1920	2592	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe
"C:\Users\Admin\AppData\Local\Temp\f69cc28aea74266ee354ca8bf23a046d3f7b3c61285b7864fc08a41fc45de990.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
1c142ced09d9ee8d8a2ca5b89d3d2694

SHA1
30b22461f2e030abe0d4f17c4cbb8168a1d852ce

SHA256
d011ec79d50ab9f0881bd5f83b9e802360eab0b6855057728a0a1a3a4abbe68d

SHA512
f32ee5b947b386b31d624be1f97c4d1ebfc3875db715f0f0f38dac3a2f7064875a12bffda4f892189137674291330dd450b0ff41b5115fd0e0e5b19ad6afee51

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
4ebb1dadb63b7f4ae0d4c2b5a5da90fe

SHA1
c1fc3a76c3c895edec0dbb71a562d448f3e02490

SHA256
871a5793b3fe3cc6c880d9532e6a65807ac68ea49d45ecc2b9c34d9c95eade40

SHA512
38d0607271a9598c036cf9b09f3739caa015cbfe4ebf9c5ff569bbf98b2947a606cc17cf61260198cb8b6defca5e590aae5848e1dd9032ec55f4b79076ecc4cf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
45eef471e28a8e4090215e8dd5384ebe

SHA1
7ba64bf299afe77cca039f862b49de9760eaa779

SHA256
cb925bacb2f87d0f776bccaa0524909f232b786eba4216e8824546d4eb9a1337

SHA512
2e98b6cd128aaeab25fea09e86f90771cf5a0d43cb06938802c77fff0f73c9901202c282c51a9bf206453d59dcc7c72a267d2503c67dcc57c95a64e41581fbfc

Download Submit

Analysis

Sharing