neconyd | 591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ff

General

Target

591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe
Size

80KB
MD5

b17bb5698c11517a8b80cfbd8b9adc20
SHA1

94cac9fc306a82d8de3b8ca5391f021e5dfea5b2
SHA256

591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ff
SHA512

683d69164fb2b54be885c8cdcc5a184eee749e9dd4d82ad8ff9e8b78e3680d6ece62cd91a81dbc881a8116cfdcb222f48aa576388ef04b41027527571dae63f8
SSDEEP

1536:pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:pdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2040	omsecor.exe
2928	omsecor.exe
2576	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
620	591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe
620	591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe
2040	omsecor.exe
2040	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2040	620	591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe	30
PID 620 wrote to memory of 2040	620	591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe	30
PID 620 wrote to memory of 2040	620	591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe	30
PID 620 wrote to memory of 2040	620	591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe	30
PID 2040 wrote to memory of 2928	2040	omsecor.exe	33
PID 2040 wrote to memory of 2928	2040	omsecor.exe	33
PID 2040 wrote to memory of 2928	2040	omsecor.exe	33
PID 2040 wrote to memory of 2928	2040	omsecor.exe	33
PID 2928 wrote to memory of 2576	2928	omsecor.exe	34
PID 2928 wrote to memory of 2576	2928	omsecor.exe	34
PID 2928 wrote to memory of 2576	2928	omsecor.exe	34
PID 2928 wrote to memory of 2576	2928	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe
"C:\Users\Admin\AppData\Local\Temp\591ab074dda6288321d63e5326d495b95a45c03e898dc9d218741519ad9785ffN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
d7a4eab0565ba8ab4bd2df71354dc794

SHA1
9925331e24cd5e95a84926ae605495ce05bd52ca

SHA256
0f38cf39cfec6e217ba5cedc85fe2e80a5b379fba6840c79e5edd40d85dcc0d8

SHA512
5e2a72576b963dbedf3d8904630e9b3a169278b104203a4823dea8b77f77291c482fae6e041eedd89e60daa4ec816b2d963b74a538a170a53b9f518a5616696a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
7e2a1833f861a653d070dc19699b7675

SHA1
bf2c7008110c16069adbfdfdef2812a00456d91d

SHA256
0e699972df601d2c056bd9fee2d3e3d4c8dbb905999683fc0bbb65965de35d85

SHA512
56b4f188203e41a7866c65c801b6f23d02789721c29370b2a03c76712e427e907170f2b7098449144020e666556ccd0287cab687860a1f25e872b964ea88143f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
3622cc8cf2b83b1742756f94bdbbd687

SHA1
bfaa6b7a8b2f32bf51c867969261d6da9ab2cf8f

SHA256
6347a96afc63a7ed418646e423daf9a5e06a90d30201c1322f9b29adb40225ac

SHA512
170df1121d5bfeb3b95f4fd43250b0facf200a9b2ffd16319b338715d26ce68a1001057c816cb97668b0853d2283599a8a12d61bdc750ae34568ea40b0b8e25b

Download Submit

Analysis

Sharing