neconyd | abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4

General

Target

abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
Size

80KB
MD5

e18e24f356a8e8c63bf88dc297a899c4
SHA1

aa8aa79865cafe82a191a03dd1529fb3efa840a6
SHA256

abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4
SHA512

5ca22c975af625bb7cafae1976410233063e75b9ec21cfa5ec82855ffb39c9e1db83e789c8b5e7e24129ea3aacb8353da277829292c764611865acdb1b698c10
SSDEEP

1536:sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:UdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2380	omsecor.exe
2508	omsecor.exe
1484	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
2380	omsecor.exe
2380	omsecor.exe
2508	omsecor.exe
2508	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2380	840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	29
PID 840 wrote to memory of 2380	840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	29
PID 840 wrote to memory of 2380	840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	29
PID 840 wrote to memory of 2380	840	abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe	29
PID 2380 wrote to memory of 2508	2380	omsecor.exe	31
PID 2380 wrote to memory of 2508	2380	omsecor.exe	31
PID 2380 wrote to memory of 2508	2380	omsecor.exe	31
PID 2380 wrote to memory of 2508	2380	omsecor.exe	31
PID 2508 wrote to memory of 1484	2508	omsecor.exe	32
PID 2508 wrote to memory of 1484	2508	omsecor.exe	32
PID 2508 wrote to memory of 1484	2508	omsecor.exe	32
PID 2508 wrote to memory of 1484	2508	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe
"C:\Users\Admin\AppData\Local\Temp\abd53b680a9fd6edda5772e61a5172f76019e22fa84634473d0202b200523ce4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
c5b6a9b9748c845a0a90b1907243babb

SHA1
4255ca6ad793dce672631e9cb71fe65ab18f938b

SHA256
19a45e779ef49340cd281162b8f0a520e2299d3b2695f5d03a52097e14ad3da9

SHA512
31c423055de6c09c53509c1d411d72236fb2f765f01ac65fffe59bdfbcef04962ea53ad93e8862b73f844e593a086f50f90b8908eae78f9242baca10f911ed85

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f0a9925fc7e0ad63f471789879287d31

SHA1
f6e2b388da629ab4e3540db2c575a413061b5ee2

SHA256
cb2e791b3654b9ea30470a457dd90321853bb6ea6d7a24b223463a7bb18392e5

SHA512
ed712a89281e56a398bfa502246380e095acf3c6e2b31d416b98bc4d50e11cb88a5925938be0bd7223d1e3330a9f00cee34b24ba7239a4f2db4bdbffeb9f2fd6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
7cbf32aee7c1a8b486e2edd9d8560c23

SHA1
346e893e82f79168b51ff9c58a002657d529b381

SHA256
30aef57bc39b362efec9bcef9d0e31d72c681c2a1d8f29b2567199b3956c1e77

SHA512
bf2a47b7933b51443ea2343558e4a466371b24fce98c43edea8b9cbfee15496110831e288ca10060ff6b5e4e8c38f403eb153d57b7d981d6ab4ee318def5ff33

Download Submit

Analysis

Sharing