neconyd | 665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6d

General

Target

665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
Size

89KB
MD5

8f079325c4c70893a16e983d451acb70
SHA1

3c4b83e47fa93b02f0bf42c04a0251a4da6c23b1
SHA256

665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6d
SHA512

4f7a00d16710af3216e7a9e953e33b8ce280cf0d09a8769d9f78801d36c46bfd488e348e67c9bee4217a43d87e5c62dcdf859706356a3043bc0e84a12a7a5a22
SSDEEP

768:JMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA/:JbIvYvZEyFKF6N4yS+AQmZTl/53

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2120	omsecor.exe
2772	omsecor.exe
2312	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2232	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
2232	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
2120	omsecor.exe
2120	omsecor.exe
2772	omsecor.exe
2772	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2120	2232	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe	30
PID 2232 wrote to memory of 2120	2232	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe	30
PID 2232 wrote to memory of 2120	2232	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe	30
PID 2232 wrote to memory of 2120	2232	665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe	30
PID 2120 wrote to memory of 2772	2120	omsecor.exe	32
PID 2120 wrote to memory of 2772	2120	omsecor.exe	32
PID 2120 wrote to memory of 2772	2120	omsecor.exe	32
PID 2120 wrote to memory of 2772	2120	omsecor.exe	32
PID 2772 wrote to memory of 2312	2772	omsecor.exe	33
PID 2772 wrote to memory of 2312	2772	omsecor.exe	33
PID 2772 wrote to memory of 2312	2772	omsecor.exe	33
PID 2772 wrote to memory of 2312	2772	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe
"C:\Users\Admin\AppData\Local\Temp\665c2be98a550b3af4109f872868f458e898fb0e09832df16a05db867899ef6dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
36335d6d208518e28f1af8e4a063ff57

SHA1
957f080cd7cfe3e478b854056546f607b51fab75

SHA256
20c85413f71fda26627686a43e67748498ae2d403b8d79efb501af7977d954cc

SHA512
1ed06a264140956e3638d75c9a77c32f2d73b3cbde8ec0996102ead4a6adeb0dfda9a095caeacf91c22e17d79d68661106c22e46ac7369572fca7971e0cf5ade

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
b556dc5db3825d2f3bf93e9b6e05b5ba

SHA1
2167bf56e8852a170e586de2f52e3edd44917b42

SHA256
6db27b02817ce695794a95ab83721c7bb017d26493e92a50997650282da91ed4

SHA512
07cc198ac996de6bed6b66428e0d7858823ada203fe86cfca460c9cbbafbef0e9e7dbd1d46e4d0fc99dd23516c111f95c10d7ce2ad3c9de54936f7d035fb09b4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
2ecda7fe028b7783b9b4e8ec91be2af0

SHA1
31f3005ed2251b924af71813ccc3c877a21dfc79

SHA256
7a3bfc859e8cd33e75f186ccac69b1192996f51b2628a920af2797991ec05be1

SHA512
37eed8456b75572e75c5d410a07dc1b6600dddc76497bca4561af0fd39b094843fb2bf8cf8b107bdc405c5897b37fb5ce3cbb9bf023100c11c9cee1296faf4ea

Download Submit

Analysis

Sharing