neconyd | 15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344

General

Target

15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
Size

61KB
MD5

b43ae4bd2587aae0bb7cda53225bfb7e
SHA1

a7915c8f95202c58172bc6ffa283505e7874fb3a
SHA256

15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344
SHA512

21c0cb46e37862689cf1fb6f75692e3ff094298c5e263db46b2f0df6cca1e943ef1e170dfd2f330080db80aa40ce6b64d80b36073557538274fbba116e743b84
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5:7dseIOMEZEyFjEOFqTiQmPl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2696	omsecor.exe
676	omsecor.exe
2920	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1640	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
1640	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
2696	omsecor.exe
2696	omsecor.exe
676	omsecor.exe
676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2696	1640	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	30
PID 1640 wrote to memory of 2696	1640	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	30
PID 1640 wrote to memory of 2696	1640	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	30
PID 1640 wrote to memory of 2696	1640	15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe	30
PID 2696 wrote to memory of 676	2696	omsecor.exe	33
PID 2696 wrote to memory of 676	2696	omsecor.exe	33
PID 2696 wrote to memory of 676	2696	omsecor.exe	33
PID 2696 wrote to memory of 676	2696	omsecor.exe	33
PID 676 wrote to memory of 2920	676	omsecor.exe	34
PID 676 wrote to memory of 2920	676	omsecor.exe	34
PID 676 wrote to memory of 2920	676	omsecor.exe	34
PID 676 wrote to memory of 2920	676	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
"C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e75c970bba40534408665e9780da0b9e

SHA1
14dfe6fee89cb45fe582844aeb9732941f34d86b

SHA256
fbe87e65078d3ea5eee27a339e541a95b3dffba4c91b3bc7a4d0ad50016d10c2

SHA512
ea214804fccaed5947da5e24641a712842cfad507e55029d21f201117d0a851ca7aaf515cdb62d44e8e342ac0719fa652e49a81c2a189e4b669359bfd558fca1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
d01b660d2283f068c79724968338645f

SHA1
589b80e4e8784bf8f21aa5a753989e9ca8e97b71

SHA256
5154ae8b1dc240e4cf938c58ee33f0d521b801174527da0bf1841e7de9c33200

SHA512
3ec94a45a076a901369d618f680f5c61d70952daf92a8c4757b6b290623b731b3502017f627f79a05b83fb28575302d1e790200b7518a87ebdec79e15dfc8cfb

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
6f19c18e4012785b7040a08e25ad7c59

SHA1
42d8ff55126c72c645249dfde86c08b283cd7de7

SHA256
41eb26dab28d5e3d65df53b12f2c3073a1b2c3a3f6101eb2a2e593e4e77009ad

SHA512
274d2d86ab9c1f6913e20c6678ec0a766b843ece175cf902a8626bec21a68094b18b895d94ffb55b2dd96168f0b7cb99bc5307fc2a9274ad20b122cd6292aa44

Download Submit

Analysis

Sharing