neconyd | cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a

General

Target

cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe
Size

64KB
MD5

df01b9df52d25b93a9e8a294e2f8c765
SHA1

7ea09ab708f67a4d771e146733ce9fcce3fc8c48
SHA256

cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a
SHA512

7daaa253d2604aa7d19e5cca4980ae68eb174f7aa279e61e55043591ac5e18c88516bb104c90df1ac11776bb07bcf36bc4639de6b6f0a605e465d94eeb5c5145
SSDEEP

768:eMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:ebIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2568	omsecor.exe
2408	omsecor.exe
1700	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2380	cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe
2380	cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe
2568	omsecor.exe
2568	omsecor.exe
2408	omsecor.exe
2408	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2568	2380	cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe	30
PID 2380 wrote to memory of 2568	2380	cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe	30
PID 2380 wrote to memory of 2568	2380	cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe	30
PID 2380 wrote to memory of 2568	2380	cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe	30
PID 2568 wrote to memory of 2408	2568	omsecor.exe	33
PID 2568 wrote to memory of 2408	2568	omsecor.exe	33
PID 2568 wrote to memory of 2408	2568	omsecor.exe	33
PID 2568 wrote to memory of 2408	2568	omsecor.exe	33
PID 2408 wrote to memory of 1700	2408	omsecor.exe	34
PID 2408 wrote to memory of 1700	2408	omsecor.exe	34
PID 2408 wrote to memory of 1700	2408	omsecor.exe	34
PID 2408 wrote to memory of 1700	2408	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe
"C:\Users\Admin\AppData\Local\Temp\cf8866ac3de88b717426947d1ff38e0d05c3d351866f4bb7935476669aa1f80a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
b999f49b3f983dfc8e8c53fe683adc5e

SHA1
8f7657b1941d924bf1d26080de19662331ed03ed

SHA256
6250bf27f87cf6842a7e04e3fedb5153a224cc619e68710b514b4d4a1da9b310

SHA512
965be3a59b260dd3556345b9aca82bca86a4bacf186a191620c31350a2c8e5c2c35acb65fc10cd13ff1fa5697fc33ee536ffcfc2374e16657687912a6da9487b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
1e7698bf2eb5f6e2ecaf5c0c9337f850

SHA1
42e1c09b24272c74f346491c60c45461ae24f5b9

SHA256
0f79a0555c48fb090b18447c45b34c14863f918c0c2621efaab60b9311eddc1f

SHA512
4e71ad04af2276a8592a3e4b663d7dd2e27ecb972727d39580c25112396592cbdfd8528bff0ba9cd0048e3e91ba032a06e2b1a5d29dedd2eca71696897cf753d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
d946be15e18c285321e5005411cd23e9

SHA1
3c4070f3c029644b46c3a105fc11c0e9a494a8a6

SHA256
dddead594a4789af4e9a3b426d77e768771df4c58f0f830404b698076519ee7f

SHA512
8d29c01c8d9beec1228fc30b5cd53906f7aabf215f72413e21ae9776f91c8ae233fc5c27ccf4586e077ff3c96b5c44e2ed13959616dbdb0f8852f7d00693f6d4

Download Submit

Analysis

Sharing