neconyd | 394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe

General

Target

394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe
Size

64KB
MD5

65c8c108cff057c548c5ea19921c79aa
SHA1

d4e7d46ccb3dbb4e9b140c821f369bef52d74915
SHA256

394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe
SHA512

7a00b940b5b92c3ac7b0d2b77d90ff6f4899932021642dda35e219076af6131645457f8ab04f02fde6b22d056e593bc7434ffad96c7762ab61354a527af6ad26
SSDEEP

768:PMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAN:PbIvYvZEyFKF6N4yS+AQmZcl/51

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3068	omsecor.exe
2476	omsecor.exe
2876	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2596	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe
2596	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe
3068	omsecor.exe
3068	omsecor.exe
2476	omsecor.exe
2476	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 3068	2596	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe	30
PID 2596 wrote to memory of 3068	2596	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe	30
PID 2596 wrote to memory of 3068	2596	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe	30
PID 2596 wrote to memory of 3068	2596	394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe	30
PID 3068 wrote to memory of 2476	3068	omsecor.exe	33
PID 3068 wrote to memory of 2476	3068	omsecor.exe	33
PID 3068 wrote to memory of 2476	3068	omsecor.exe	33
PID 3068 wrote to memory of 2476	3068	omsecor.exe	33
PID 2476 wrote to memory of 2876	2476	omsecor.exe	34
PID 2476 wrote to memory of 2876	2476	omsecor.exe	34
PID 2476 wrote to memory of 2876	2476	omsecor.exe	34
PID 2476 wrote to memory of 2876	2476	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe
"C:\Users\Admin\AppData\Local\Temp\394266789cc94c5fb47c066e957cc24452b08c46781a86b88f60608c87f325fe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
b73f84bfd72b85df89118d8da28d260f

SHA1
0e10220bef101c8eb73e564e372ecf77f2575fdc

SHA256
cd208472ed917630ab84f2a299440b47e47641c22658fb008213efdaf3e39a31

SHA512
cd354c3825d2d99443f1d1443749b42612c93d03c67d800c56a692090555967dc0831b7d75e95882f4a9f5d60a45cac51696725af3ddc0da9b215624ad06fa47

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
e02c6f6da8c9602b27f1026f128b80d0

SHA1
665171edbcfe5ba3c5c7d7fc5055bd60e21a8130

SHA256
d79610e13af98472b20ee48df7e221ae21804fafbf09ea4fa435647580d21054

SHA512
7258560f88fd6f5bf606616c940d62fa32efb8e53eca546755aa37dc030e84025ee8519575b83d8a23cc89b0d1c518ad95f4ac66bfa2b71d82869f428315d980

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
8cc38ba688a99c737eb92c8810d61851

SHA1
148009a6ed5945edada6e81debbe3b3929ef094d

SHA256
12954a79766b4adb28bb11e5b9fea748ce9fd19a18f182c0cee25ca802ea39a5

SHA512
aa38cc6fde6578cfc429c77aa9802d404221719bab3a39af05441776cf3ebf13a92f714a64377bf2d3a5ddc558d616512f3b7f28862070460135954129464fc3

Download Submit

Analysis

Sharing