neconyd | abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4

General

Target

abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
Size

80KB
MD5

e18e24f356a8e8c63bf88dc297a899c4
SHA1

aa8aa79865cafe82a191a03dd1529fb3efa840a6
SHA256

abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4
SHA512

5ca22c975af625bb7cafae1976410233063e75b9ec21cfa5ec82855ffb39c9e1db83e789c8b5e7e24129ea3aacb8353da277829292c764611865acdb1b698c10
SSDEEP

1536:sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:UdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1776	omsecor.exe
2756	omsecor.exe
768	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
1840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
1776	omsecor.exe
1776	omsecor.exe
2756	omsecor.exe
2756	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1776	1840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	31
PID 1840 wrote to memory of 1776	1840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	31
PID 1840 wrote to memory of 1776	1840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	31
PID 1840 wrote to memory of 1776	1840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	31
PID 1776 wrote to memory of 2756	1776	omsecor.exe	34
PID 1776 wrote to memory of 2756	1776	omsecor.exe	34
PID 1776 wrote to memory of 2756	1776	omsecor.exe	34
PID 1776 wrote to memory of 2756	1776	omsecor.exe	34
PID 2756 wrote to memory of 768	2756	omsecor.exe	35
PID 2756 wrote to memory of 768	2756	omsecor.exe	35
PID 2756 wrote to memory of 768	2756	omsecor.exe	35
PID 2756 wrote to memory of 768	2756	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
"C:\Users\Admin\AppData\Local\Temp\abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
c5b6a9b9748c845a0a90b1907243babb

SHA1
4255ca6ad793dce672631e9cb71fe65ab18f938b

SHA256
19a45e779ef49340cd281162b8f0a520e2299d3b2695f5d03a52097e14ad3da9

SHA512
31c423055de6c09c53509c1d411d72236fb2f765f01ac65fffe59bdfbcef04962ea53ad93e8862b73f844e593a086f50f90b8908eae78f9242baca10f911ed85

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
efefdc16514bc19883e592cda7ce086c

SHA1
26cff6e68444a5c61f127483da4dccb40175b99b

SHA256
009de85b1650ecb2b56a6dba749932dfd970b49c48112b5c9d83fde14f82ea81

SHA512
2e6a3fc594daa1797e8dc5e74f60da287b98a7935dd2be1ae2f76c7ee483567fdd658747f6a39b7acda3347ffb9c481da5c48de1f326c3e8a4cc9dac0dfc37e8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
ce9057deab1e61233c256e3e8e557e7e

SHA1
0c4d928e000d47563e89d4a0301c6f86d55b4756

SHA256
be32f3099a45010cb0f91bba20f3cdb705356e482a440461281b0ee485ea079d

SHA512
c532485aff9bb955a1bdeead4ad152778acfaad1eac83b510b9e7f4c8c6beb399625e3c2a760eb3f76b41f4f0eff8d4be6a5b54497380c20fe7824d8102a849d

Download Submit

Analysis

Sharing