neconyd | 132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655

General

Target

132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe
Size

76KB
MD5

690355737d2f814f310663bba1c6a360
SHA1

74e33198be7097aecf28ba8cac8504fa705ef8ed
SHA256

132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655
SHA512

4ba88aac4f4a493f851e8f7bba4c9366b1fae32e8d9badfbe0456d8703b2b41bb58e5222bc23dd6527ab2d84c0bacdebac38007cafa745a3543cb7d5c6429b5f
SSDEEP

768:AMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:AbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2880	omsecor.exe
1520	omsecor.exe
2364	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2308	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe
2308	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe
2880	omsecor.exe
2880	omsecor.exe
1520	omsecor.exe
1520	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2880	2308	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe	31
PID 2308 wrote to memory of 2880	2308	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe	31
PID 2308 wrote to memory of 2880	2308	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe	31
PID 2308 wrote to memory of 2880	2308	132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe	31
PID 2880 wrote to memory of 1520	2880	omsecor.exe	34
PID 2880 wrote to memory of 1520	2880	omsecor.exe	34
PID 2880 wrote to memory of 1520	2880	omsecor.exe	34
PID 2880 wrote to memory of 1520	2880	omsecor.exe	34
PID 1520 wrote to memory of 2364	1520	omsecor.exe	35
PID 1520 wrote to memory of 2364	1520	omsecor.exe	35
PID 1520 wrote to memory of 2364	1520	omsecor.exe	35
PID 1520 wrote to memory of 2364	1520	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe
"C:\Users\Admin\AppData\Local\Temp\132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
80b2cd4a7505b51896eb1fc187e13082

SHA1
449e6fc05dc0d9fdaea6904e0f4d053c9aa00203

SHA256
b0f3dc1e3997e6b2099b5d1eadca8ba05d445affdebfbfc71a9f651a5dc625c5

SHA512
2001d4df818501388fee016012f6bed2e84309e3633e5f6c779d49db819577db0facb3fda4dc32c52a63dfade807cb23fd81a57b8bf26729a37f4a5f67d8b78c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
422db8ea0bab76a0e7ea2a7ad00ae1a1

SHA1
1bc6ebee321d0a4c4491c7a1465048d8a71292eb

SHA256
b2c42665895431817d94f6d3c864c2ebb90503781baecd0efe4ff62a815de5db

SHA512
128f8f8b7e46f79e3dd68bb77ac141d22e645d0cc6624d621a1507bff74fa1e3d9ecf8d47809a4df56bc3fa345dbb210d13c9a5222b3d0aa453df2629cc5ad05

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
392deab27e2d79063b82f9bcb192fcd2

SHA1
30d0134139fa1520d28832f4016af84f67a232aa

SHA256
204ace6d28affe81505c5203b66b637e7b6a20de1719a2756c5731fffeed6d85

SHA512
e6e006851ab9ed5e4fb0aaf8b9088403aa54ea1de846af04ff70ac0d0f425bca6382516ba71835b26d254c9aa63798c1e4468496e6a7f1a5f7f13e41e3fdfc84

Download Submit

Analysis

Sharing