neconyd | 1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156

General

Target

1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
Size

72KB
MD5

75f834dcadb15ded5a93b83dea92f2a9
SHA1

1c9a84eb72387c06b5ced9f79fc3133126cdd0a8
SHA256

1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156
SHA512

6330659e957041092242056baa9e652dcd9bec7630de34e291512dec678bb3bfa3f9e461baf43c6c19ecf280cd423320dd7ac7f736f3d89c565993fa05e30d23
SSDEEP

1536:wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211F:wdseIOMEZEyFjEOFqTiQm5l/5211F

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1976	omsecor.exe
2332	omsecor.exe
1612	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1960	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
1960	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
1976	omsecor.exe
1976	omsecor.exe
2332	omsecor.exe
2332	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1976	1960	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	30
PID 1960 wrote to memory of 1976	1960	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	30
PID 1960 wrote to memory of 1976	1960	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	30
PID 1960 wrote to memory of 1976	1960	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	30
PID 1976 wrote to memory of 2332	1976	omsecor.exe	33
PID 1976 wrote to memory of 2332	1976	omsecor.exe	33
PID 1976 wrote to memory of 2332	1976	omsecor.exe	33
PID 1976 wrote to memory of 2332	1976	omsecor.exe	33
PID 2332 wrote to memory of 1612	2332	omsecor.exe	34
PID 2332 wrote to memory of 1612	2332	omsecor.exe	34
PID 2332 wrote to memory of 1612	2332	omsecor.exe	34
PID 2332 wrote to memory of 1612	2332	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
"C:\Users\Admin\AppData\Local\Temp\1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
83b08750d85c9a8234bf8259874ed5e0

SHA1
35e613fdb856933de13d8815a1509582be68e5b9

SHA256
79031c2e02b44be9c964a7de95879af8f1444dc08961ea80b4171ed6b0802bc7

SHA512
c3843bbe64582d2fa7a12112a21bd09e8cf0c960e69ede3e1e6b3917d83eae1821c1761c11c559c1c7c270fba6ebeba8005fb3836b5a5d58986363804235fe64

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
85346e3f428763799db0c8a57b7abec1

SHA1
41ffe58e84b2d5af6f6177e66fffc3ff22c24a3c

SHA256
b455020abee7a6c09634ac90ca031f384eb056227a4ec1d1d53bdb8479264300

SHA512
ffa651ec3f590f2d1c3734cfb3c20a596ab117a9bf59cbe4201dd33e64dd794df230cbbdf0edaa12c738d91ee726f695d6d0654f1bc0aeab08d9a675bced0336

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
4d13fccd1868be821671602f1060019d

SHA1
46a02844836b3662288912ba7bd7b34dad144884

SHA256
199414a5077844eb5cb92c257f3635259d7c1da56e45713305f2af8244c1fff9

SHA512
e57f62c0ba416594390ef58d7d3be1948424d2ed799dad2a461c75b19981f5083679abb01822f5f734334098ccfcaf4fceae496beedd68125be55b519b83e1a9

Download Submit

Analysis

Sharing