neconyd | 1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156

General

Target

1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
Size

72KB
MD5

75f834dcadb15ded5a93b83dea92f2a9
SHA1

1c9a84eb72387c06b5ced9f79fc3133126cdd0a8
SHA256

1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156
SHA512

6330659e957041092242056baa9e652dcd9bec7630de34e291512dec678bb3bfa3f9e461baf43c6c19ecf280cd423320dd7ac7f736f3d89c565993fa05e30d23
SSDEEP

1536:wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211F:wdseIOMEZEyFjEOFqTiQm5l/5211F

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2288	omsecor.exe
1868	omsecor.exe
2828	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1860	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
1860	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
2288	omsecor.exe
2288	omsecor.exe
1868	omsecor.exe
1868	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2288	1860	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	28
PID 1860 wrote to memory of 2288	1860	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	28
PID 1860 wrote to memory of 2288	1860	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	28
PID 1860 wrote to memory of 2288	1860	1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe	28
PID 2288 wrote to memory of 1868	2288	omsecor.exe	32
PID 2288 wrote to memory of 1868	2288	omsecor.exe	32
PID 2288 wrote to memory of 1868	2288	omsecor.exe	32
PID 2288 wrote to memory of 1868	2288	omsecor.exe	32
PID 1868 wrote to memory of 2828	1868	omsecor.exe	33
PID 1868 wrote to memory of 2828	1868	omsecor.exe	33
PID 1868 wrote to memory of 2828	1868	omsecor.exe	33
PID 1868 wrote to memory of 2828	1868	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe
"C:\Users\Admin\AppData\Local\Temp\1daab24ccad698e9414bfb3c59630a4508d483999aaf27bc7b24c99b9b3ba156.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
0d39ec2dd7244332f2cae5dd6fba494f

SHA1
7fcfd3011d55bcd012a6afcbb7b8c627fe652e9d

SHA256
da5493918abb9a1e03cecadfe9d163c3258aeb2d476e0b4737aded81e4f64c4d

SHA512
734890f5f41fced6b8bc2196684bafe8535be4002d48f4f6c335245b2eecacbe80c80043885cc98ef655d1bef2bdfb013ac670461171c39e7d5f777691f1d582

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
83b08750d85c9a8234bf8259874ed5e0

SHA1
35e613fdb856933de13d8815a1509582be68e5b9

SHA256
79031c2e02b44be9c964a7de95879af8f1444dc08961ea80b4171ed6b0802bc7

SHA512
c3843bbe64582d2fa7a12112a21bd09e8cf0c960e69ede3e1e6b3917d83eae1821c1761c11c559c1c7c270fba6ebeba8005fb3836b5a5d58986363804235fe64

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
329e8e8e8951b08de074c44fc839ec24

SHA1
0cef10e5aa48cbc814b5350f60e1f36f78c1d0dd

SHA256
fde99810ab06d43d1d593739cdf41ba69abc24794270abefc6a209a14e178dc2

SHA512
d42c208b365dccb5fb29ca04159503c33bef9ac24da9370e6da2381c5ea117010d1727601139f046d0bf399c436da162f62513cb1238fba4fd5200a9bc2a16b2

Download Submit

Analysis

Sharing