neconyd | bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54f

General

Target

bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe
Size

76KB
MD5

5b647dd82c1776527855f4d3c60c0b30
SHA1

254557dc05ab9ccad2eb427753ee3942fec0f0d5
SHA256

bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54f
SHA512

1094e6878b959ea7a7fd48f2115abb50b8a5215656e6e01edb503ec57e385e935453bb2066def63ba5fca5864e67ad828be5874c1bba92dc206d0281f1e0e17f
SSDEEP

768:XMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:XbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2260	omsecor.exe
1264	omsecor.exe
2660	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2476	bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe
2476	bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe
2260	omsecor.exe
2260	omsecor.exe
1264	omsecor.exe
1264	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2260	2476	bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe	30
PID 2476 wrote to memory of 2260	2476	bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe	30
PID 2476 wrote to memory of 2260	2476	bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe	30
PID 2476 wrote to memory of 2260	2476	bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe	30
PID 2260 wrote to memory of 1264	2260	omsecor.exe	33
PID 2260 wrote to memory of 1264	2260	omsecor.exe	33
PID 2260 wrote to memory of 1264	2260	omsecor.exe	33
PID 2260 wrote to memory of 1264	2260	omsecor.exe	33
PID 1264 wrote to memory of 2660	1264	omsecor.exe	34
PID 1264 wrote to memory of 2660	1264	omsecor.exe	34
PID 1264 wrote to memory of 2660	1264	omsecor.exe	34
PID 1264 wrote to memory of 2660	1264	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe
"C:\Users\Admin\AppData\Local\Temp\bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
062bf4070f214ceec3ad3e6db40cc9f5

SHA1
1aebac305383649c5d4dbb6552ee25d476db2367

SHA256
5350a4d697f4812f7f4676d3b85f52c83043f3d02188c35a1dc0efcf8bc4aaf2

SHA512
a924aa3476755c8714aff6d40d489e9284e85bc9ae8cd3459eaccde45c1f879c55f64c32cce1a5e3e2bee7230ce14c81079fb34ee0109e41a2cde74cda613b88

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
99d6d764e2925f02966cc8e766c8dbe9

SHA1
c4b66682dce62d9390c2847d07d0101410e632ed

SHA256
3b2ed2996fbe07a52af85beb024d564abff877ac278e6a7c185d45f8b5fb0f8b

SHA512
a7a5d47abc29c26c0fc81bffc5b1b3c6151a456c0655e9fe119aa4c19d2c204c46aa4bacdfe7938a44718092d1fb45f0edfef5eb0ff2787932afb4ebcc96c13b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
be68586a3210ee8ad99abb6a7c0d9f23

SHA1
994cb4c6f991472e5ea234d5a2500ea1a01ce31c

SHA256
7c8e36f1cf5313640f98aad2a66eb2980277f243da9492c7d7afda121b910f68

SHA512
20d7da3c76d14e3e2a9467bb6e0ea48959321eaf39ba55a58d2d1a83c8cc4fa0d28f868bb08fc19d54a020222b4d3c1c8c4c48edecad4844001b8d684b609456

Download Submit

Analysis

Sharing