neconyd | 55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2

General

Target

55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe
Size

72KB
MD5

8538eb5bd93e0f922611aab49d62bb63
SHA1

06911bdd368ffe7d31941775666f3894e94514f5
SHA256

55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2
SHA512

4058d0cc71d5a92d8080a786e69dd77854b7c5036a02659e5af9ecaabef5d5c1dd675991b57189a4a71ad9a66ee6ae4cde13beb48bc148d725aa56b568e7d4a7
SSDEEP

1536:td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:FdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2236	omsecor.exe
1684	omsecor.exe
1664	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2668	55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe
2668	55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe
2236	omsecor.exe
2236	omsecor.exe
1684	omsecor.exe
1684	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2236	2668	55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe	30
PID 2668 wrote to memory of 2236	2668	55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe	30
PID 2668 wrote to memory of 2236	2668	55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe	30
PID 2668 wrote to memory of 2236	2668	55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe	30
PID 2236 wrote to memory of 1684	2236	omsecor.exe	33
PID 2236 wrote to memory of 1684	2236	omsecor.exe	33
PID 2236 wrote to memory of 1684	2236	omsecor.exe	33
PID 2236 wrote to memory of 1684	2236	omsecor.exe	33
PID 1684 wrote to memory of 1664	1684	omsecor.exe	34
PID 1684 wrote to memory of 1664	1684	omsecor.exe	34
PID 1684 wrote to memory of 1664	1684	omsecor.exe	34
PID 1684 wrote to memory of 1664	1684	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe
"C:\Users\Admin\AppData\Local\Temp\55c1a1685a4671c5d5662986f101500d9a18db6539ec4f4dbe4f234c8ef82aa2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
ea30e7b998732d27c5fd6577c38f05b7

SHA1
883e7825462e6a797702bb318b3bc1638b905aab

SHA256
897ecc6bdcf9464b5ac01cd1ebfdd128fd4379ae766eb6a156e3974c507ecd6e

SHA512
1cb33caace5675ae16f8b795379ef68a793fd8c43d076f9b4c73226dcf7d393c2ff51c7d6c5db0ee92140252d15582ad20db4c41d6035e4c3086dfc1be839a80

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
45a9237c3acf8714d9244b7b28288d2f

SHA1
0330d40598341856a525fd412056c5a4105c0c62

SHA256
53aa93ed6b121ddf539c7c3fcd92ede0fcd4691d994050918ecd161e660b0a69

SHA512
935c8b756d17e4c0bf6fb2659029a6d32dfccef9cc8d45a242b918f8c4d35be9c4a01e9c472e4133f92989446b48ab5848b5f5209dd4f256121c568f58ec949d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
9dd69e393b498290b489d5e98c47b656

SHA1
48414bcd9c7d09c247502bf02977baa7b6f767c0

SHA256
3454a4d8781b531d0b78d3d0cf3ce27b7811d2672b3370c35043b937d60c93d6

SHA512
94f7b6ebe5643578fa8c429a8430d092e82260b3ff828de46039a0e298e9b03f6f0dac67c8948f3932a721d247ff4e214ccb554dadcf8d3b872e5954b6a516bf

Download Submit

Analysis

Sharing