neconyd | 24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a

General

Target

24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe
Size

80KB
MD5

8ea42c95d5a331082f6de4476a708f11
SHA1

dd49cfc7487f67f3ea275e14166608b2f666cabe
SHA256

24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a
SHA512

984455b357ec27b20d0ce4a1fd1a6337034f6a5f821ac0059f80828172293ed7c48f66bf782352efb466f5e8bb4dcea8f97af4eaea499e7d77a2ac3737540be2
SSDEEP

768:efMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAe:efbIvYvZEyFKF6N4yS+AQmZTl/5W

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1512	omsecor.exe
1768	omsecor.exe
3028	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2416	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe
2416	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe
1512	omsecor.exe
1512	omsecor.exe
1768	omsecor.exe
1768	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1512	2416	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe	30
PID 2416 wrote to memory of 1512	2416	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe	30
PID 2416 wrote to memory of 1512	2416	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe	30
PID 2416 wrote to memory of 1512	2416	24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe	30
PID 1512 wrote to memory of 1768	1512	omsecor.exe	33
PID 1512 wrote to memory of 1768	1512	omsecor.exe	33
PID 1512 wrote to memory of 1768	1512	omsecor.exe	33
PID 1512 wrote to memory of 1768	1512	omsecor.exe	33
PID 1768 wrote to memory of 3028	1768	omsecor.exe	34
PID 1768 wrote to memory of 3028	1768	omsecor.exe	34
PID 1768 wrote to memory of 3028	1768	omsecor.exe	34
PID 1768 wrote to memory of 3028	1768	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe
"C:\Users\Admin\AppData\Local\Temp\24f961313effb974dbc60bb7d0c04a5395ac9da905f0861637e41010dab0ec6a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2df6edad94978c41878af0dccb8c506a

SHA1
6e3a0a640d3807b40ebe728eef7db14d303183ab

SHA256
9213e2ee65d59499e435df8e8484ef37cdc12f6e65409071f49a54fa2d172870

SHA512
b099c1ea95488677e00f00e61137c54ddb0e42e1d27ff84e4e8d51234c57af6041e73c74b098a627f61521d09309710f12c6eef40a99f94af7fade7b7ee6a2bc

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
aa2f86fdd24040aca8d081083b08ae49

SHA1
5707a63bf51976f271f206f4eb69c36d0fa2b223

SHA256
82e49fbdd705d34b828771fd5793a2d3c821720048aca109cf7f6cf7e3c25004

SHA512
d1b7f300b8f94919ef9e5bc30aa76b037d37d6e677f2e3cf495247fe0e99cb6ba2a3ddf2520bd23b0930f934a78ffd3528101ffa07e609bf90d71139c3a811db

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
839291747616fb2161f0ffc373013914

SHA1
d54efcbea4f75b9a6c9bba5d7fc344509c456994

SHA256
a5a5a6b330cc7fcf1ac79e2f9fa90672d4efa78fc499ce045cdeca2711f0e97a

SHA512
ea35fd8fc68323dd353733c7bcbf9f1a85e3a1d1313dc669bc9ffce72a771c3eb169ac2fd91de91a527e8de3a9462ec3efd23d564dd807d6ac9f26d265df8946

Download Submit

Analysis

Sharing