neconyd | 05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813

General

Target

05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe
Size

64KB
MD5

b888284da17f3143e6ff28052daa4b5a
SHA1

6264eb09d4b92b1e39d3a405e5c21a5805e19169
SHA256

05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813
SHA512

dc5cc5b1089f72b64e0445647c04d7edb2fc0cfb250ad04295e9b721bc91817db5f2ee6405f7e3f276ff0d2cc31458867dce28f4d150192db2730a741d74dfaf
SSDEEP

768:hMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAH:hbIvYvZEyFKF6N4yS+AQmZcl/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2348	omsecor.exe
944	omsecor.exe
3032	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
432	05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe
432	05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe
2348	omsecor.exe
2348	omsecor.exe
944	omsecor.exe
944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2348	432	05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe	29
PID 432 wrote to memory of 2348	432	05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe	29
PID 432 wrote to memory of 2348	432	05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe	29
PID 432 wrote to memory of 2348	432	05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe	29
PID 2348 wrote to memory of 944	2348	omsecor.exe	31
PID 2348 wrote to memory of 944	2348	omsecor.exe	31
PID 2348 wrote to memory of 944	2348	omsecor.exe	31
PID 2348 wrote to memory of 944	2348	omsecor.exe	31
PID 944 wrote to memory of 3032	944	omsecor.exe	32
PID 944 wrote to memory of 3032	944	omsecor.exe	32
PID 944 wrote to memory of 3032	944	omsecor.exe	32
PID 944 wrote to memory of 3032	944	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe
"C:\Users\Admin\AppData\Local\Temp\05e4b9fac690a0187d4087e0032e7add7b46d6147d62e72b602eabe02f8b9813.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
00c77ca0ccd47c92018fcd0b67c15a27

SHA1
6649241a0e01fd145a8cf87f3f9d5948ab5a45ae

SHA256
db7bb4dd82f7ac108acad453aa54916ef863caffeeb9241dba78c48dff66ec9b

SHA512
5d572fa00a35f59c134ed4dc123b555d6c8dbbb05e6918c36498023a0fded7bfa4c8a04aef656b17b01dd0935670220b3db3c8954a5f401bb4ceb93d7a3dcb37

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
a169f6935a007dd7f03c2f57ff6ba9ae

SHA1
333e775ff7b110489eaa8b6ab0fc36dc2a2d80b1

SHA256
f78d1a7801f8a41079d4a258f6f7801c12931dfed6009ee9a22b925c3892ad00

SHA512
2150052886a3d7441cff664538c478908491e0374219e1eedceaa7282826309c94783b4337bde5a399525a97ffbb3791ab658375548318e6224fa16e281ce725

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
e4716634535fab132adf5a0e9e50da8a

SHA1
b0c4e894f3684566329634c36231e027e8552231

SHA256
77bdc2bddcbd7a6d17f3c69bc87fbe773804b0874b0ce62b9ba42a6e186ea171

SHA512
b1c4d2d188356a5a581e591a9ddacafbd0f74225a3997c8d305d98523d1b312a63b7d772fe4e217c10dfd13b143affc2fba277e793885a1ab4ff219774568794

Download Submit

Analysis

Sharing