neconyd | 3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278

General

Target

3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe
Size

64KB
MD5

7315bd306db38f11c658dd7a44ab4d20
SHA1

190af71367989fa1fe68dfd39a03941224b56725
SHA256

3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278
SHA512

2155faae92e7f323ec7124ae229e9eddf68653aeec6a55b27bb6715cf5fc88bd36e4418da10e2f11de66325adee3beee11fc08c2f3692d5f5f027f7e5e0f19ed
SSDEEP

768:hMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:hbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2020	omsecor.exe
2660	omsecor.exe
3048	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3008	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe
3008	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe
2020	omsecor.exe
2020	omsecor.exe
2660	omsecor.exe
2660	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2020	3008	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe	30
PID 3008 wrote to memory of 2020	3008	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe	30
PID 3008 wrote to memory of 2020	3008	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe	30
PID 3008 wrote to memory of 2020	3008	3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe	30
PID 2020 wrote to memory of 2660	2020	omsecor.exe	33
PID 2020 wrote to memory of 2660	2020	omsecor.exe	33
PID 2020 wrote to memory of 2660	2020	omsecor.exe	33
PID 2020 wrote to memory of 2660	2020	omsecor.exe	33
PID 2660 wrote to memory of 3048	2660	omsecor.exe	34
PID 2660 wrote to memory of 3048	2660	omsecor.exe	34
PID 2660 wrote to memory of 3048	2660	omsecor.exe	34
PID 2660 wrote to memory of 3048	2660	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe
"C:\Users\Admin\AppData\Local\Temp\3159e130e2de16f949ec82e1eedabd5ddfa0fa37ce88eb5624942179b6cce278N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
a57a2867af56b43555c23df5e9ef4f54

SHA1
29540db21fe9247c0f7c994f17535cd8a37420d3

SHA256
f6b2a45729c8bcd6e5a8e39ef66504169ad13e1f3a86b9e1c80f5a1cb434154c

SHA512
ed3c2c5db482261b9b78ed26d0854f3de2758da921b6fbd0e90b07c22be58cdef59f7fc93bbb499ab33872a3bd9ef472e6bff28e39ac3bedbedda8c1862a6ce0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
3a2ae761acadcf08f3afa7efe844e14f

SHA1
dc2186bc9a693daa9991a786b7426fa90eb9b626

SHA256
b1c70ff44347004053a5149713c466d6a528e13ce4e66f50048bc7bfa268f61a

SHA512
bdf7a070133529e7485fe8310e41c3140a44ec5842e32a285fd1989f66b8dc36f3e3bfeae0b3856ef0e54c37196b10859d052d8b4680616887bd34b5eb7a06d9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
06b445d1ec8549210585faf9a9a75152

SHA1
34a6a8525b1e50a32bc0e7d399c3c8d82db0617a

SHA256
e5d92c493ad5cc47a8350088df2413ffd1be8834cdaba238cc532c6a4a605051

SHA512
55ffc2981c4d7830d4d7cb10118cf143f2a76a45824fd991263a210a31df146eb826a6421a22fda2d58873315de6a68100683a969566f29528a0d068e6b6085f

Download Submit

Analysis

Sharing