neconyd | 199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59

General

Target

199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe
Size

80KB
MD5

0ed16acba1c75c3462f1bc7d80aa2374
SHA1

7ba68cd906c701cff0477966dd6bba8102bdd372
SHA256

199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59
SHA512

7d08882b80dac519a0f08973ea205855c1fa6d1649947437f59c341280658fe9aa7c755a08af9df18e5977c283e3e373b6c846a98321e085b248309f440edb32
SSDEEP

768:cfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:cfbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2900	omsecor.exe
2492	omsecor.exe
2944	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2288	199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe
2288	199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe
2900	omsecor.exe
2900	omsecor.exe
2492	omsecor.exe
2492	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2900	2288	199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe	28
PID 2288 wrote to memory of 2900	2288	199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe	28
PID 2288 wrote to memory of 2900	2288	199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe	28
PID 2288 wrote to memory of 2900	2288	199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe	28
PID 2900 wrote to memory of 2492	2900	omsecor.exe	32
PID 2900 wrote to memory of 2492	2900	omsecor.exe	32
PID 2900 wrote to memory of 2492	2900	omsecor.exe	32
PID 2900 wrote to memory of 2492	2900	omsecor.exe	32
PID 2492 wrote to memory of 2944	2492	omsecor.exe	33
PID 2492 wrote to memory of 2944	2492	omsecor.exe	33
PID 2492 wrote to memory of 2944	2492	omsecor.exe	33
PID 2492 wrote to memory of 2944	2492	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe
"C:\Users\Admin\AppData\Local\Temp\199ff583eb3914ac1755646ac83eda6b512eb851fdd202f3e96b6c1cbf2e3c59.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
e59c7b2bd0769b17161a72a139bc1cd9

SHA1
bdf49c2515971584b59be2bddf8b7ebc4b2b60b5

SHA256
b79487b0179ef9ca057baa89758e082a00343d92e35abfb9171a12f4389eca82

SHA512
8b108197ecd1afb8309b8cf8cf96455c7f17cb072d519c2748917cf171ee1aed68333a964f255839fa4562c8a5d606a0f57dabfdb472afad6de0c84a7264ab04

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
43d12478ff5d35a9b3e4d57e495819b6

SHA1
59f689366cac1103f707551a23fd14a87d0c97c8

SHA256
806522a86fd14f12e70117ae86de7841bab9ac462d83d0196ef57528007a571f

SHA512
33c6c9ca8f124b21cf189bd44fc4a65360b14ac91aab84d0c2bce60086db9fc6ae917bf34d95213bd2b41c9461b826a74a444f91fe9dae21066ecf5e26314e4b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
b2a3c786df3437c8d8046dd2eb31e675

SHA1
446675ded5a28c85eb2375d0eefb32bdc7b3870d

SHA256
03481e93e29acc342fd64c6c506a2ad697ba1220b963719eb31cc9e226a128eb

SHA512
69c6dbe78b9855dc884bc092c652b9df3e92d7c5426aad854c5ac21e7f6770db2214e4e8317d4d9acf5f4f6d49b281650cc4fe450bba128b4a928c0d3b899184

Download Submit

Analysis

Sharing