neconyd | 261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9

General

Target

261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
Size

76KB
MD5

fa3e88b79d7f31ed90462d41155ccfe0
SHA1

4619556e37f8549041b280b1626342c74e3bcb3c
SHA256

261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9
SHA512

0b90acec18ec4eaf607575bb13ecd581d192f8a6c06e637f3afbbf5970fd98f30fa018f1260cdd7cd2d9379b64363d1cdbe20aaa23d3258f04a8d212c80aa5be
SSDEEP

768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:MbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
472	omsecor.exe
2312	omsecor.exe
1188	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2600	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
2600	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
472	omsecor.exe
472	omsecor.exe
2312	omsecor.exe
2312	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 472	2600	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe	30
PID 2600 wrote to memory of 472	2600	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe	30
PID 2600 wrote to memory of 472	2600	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe	30
PID 2600 wrote to memory of 472	2600	261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe	30
PID 472 wrote to memory of 2312	472	omsecor.exe	33
PID 472 wrote to memory of 2312	472	omsecor.exe	33
PID 472 wrote to memory of 2312	472	omsecor.exe	33
PID 472 wrote to memory of 2312	472	omsecor.exe	33
PID 2312 wrote to memory of 1188	2312	omsecor.exe	34
PID 2312 wrote to memory of 1188	2312	omsecor.exe	34
PID 2312 wrote to memory of 1188	2312	omsecor.exe	34
PID 2312 wrote to memory of 1188	2312	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe
"C:\Users\Admin\AppData\Local\Temp\261915a75c9c05eb27ea0f20af21b594e6713d51de3056d49a0ae5dde23d9bd9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
690355737d2f814f310663bba1c6a360

SHA1
74e33198be7097aecf28ba8cac8504fa705ef8ed

SHA256
132ad8d2b16ac15f52354135364bec019acbbbbbf3d2c6d98f6aa73eee148655

SHA512
4ba88aac4f4a493f851e8f7bba4c9366b1fae32e8d9badfbe0456d8703b2b41bb58e5222bc23dd6527ab2d84c0bacdebac38007cafa745a3543cb7d5c6429b5f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
79c49cf933cff147828d3005b5385381

SHA1
fdbcf213df12fa5f1f6617a3cf2c57456207bcd1

SHA256
8ecf47bf70ab5196bd568a609a1daddd51e2b5ed396b116ce27be4351b78f906

SHA512
b78064e062f362f2d51005426d71febe4a1278db7a95e9b6cb9c54e7104f1219fabf56f3d4e55975363d48104e501906c5b5e73e733fef9fefee3e9252abbabb

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
1a1e26239e17043c6c57cc90b6813914

SHA1
b2b0dde9f956782229467d4be70138bdb5642ad2

SHA256
1fdca8440ed4059e9187798573c2292fe07295c032c14be81ce446bb4cf6695f

SHA512
fa95a0ef0866e2d81f1911c9b4c5d459957d9fbbce736d0be18fc437d4632f1717e88bd29b7338991a1a1072f4ab37f99d1d512128ce15532dca036ae914a4f4

Download Submit

Analysis

Sharing