neconyd | 25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8

General

Target

25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
Size

62KB
MD5

d1896f5ae8cf8436b83b2f6542117083
SHA1

3f873aff30a32926a4485d1398c22b2d8dc17cbd
SHA256

25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8
SHA512

35442b9fd60aa2ee142abf19b1583a051f0ebff2539778e7db9f16dc06af217d8f7d734132936cb0132b2f45cf9c13ad9a84279089cbf8aaff9ab2c0d17311d4
SSDEEP

768:nMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uAF:nbIvYvZEyFKF6N4yS+AQmZtl/5N

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1764	omsecor.exe
2576	omsecor.exe
2996	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1728	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
1728	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
1764	omsecor.exe
1764	omsecor.exe
2576	omsecor.exe
2576	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1764	1728	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe	31
PID 1728 wrote to memory of 1764	1728	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe	31
PID 1728 wrote to memory of 1764	1728	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe	31
PID 1728 wrote to memory of 1764	1728	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe	31
PID 1764 wrote to memory of 2576	1764	omsecor.exe	33
PID 1764 wrote to memory of 2576	1764	omsecor.exe	33
PID 1764 wrote to memory of 2576	1764	omsecor.exe	33
PID 1764 wrote to memory of 2576	1764	omsecor.exe	33
PID 2576 wrote to memory of 2996	2576	omsecor.exe	34
PID 2576 wrote to memory of 2996	2576	omsecor.exe	34
PID 2576 wrote to memory of 2996	2576	omsecor.exe	34
PID 2576 wrote to memory of 2996	2576	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
"C:\Users\Admin\AppData\Local\Temp\25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
2cd7c80517cdbc9aca05e6e3c66a1406

SHA1
e8ff84a35fd25236dc4a51574108a677cc2387d2

SHA256
d11035c40016617ab62d44d807262d8f6dd441aa05dee9b46c23edb9ba5ea1da

SHA512
a67e6a227a08162892e9a4eead28d3129a67431bff3b713351492bf2a4d705867bd914d837355cbec1862a8bd249bc4222675ab010c50fdae6605f05c35d0cc0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
921a5b31ee28aad9fc29b5026f971c47

SHA1
c6df3ac2fa81c0f0aaf2665e64e3a3e062ae44d6

SHA256
88050d5d8d57c6e800e06bed7dd9849712ccf9820db15f5e53222cb842d2ff04

SHA512
352099e6d7508dfb1328630e2d3ad0ffab7176e7ed2a28290e5a1e9af7e11c4b8c2277cc8db9195758e88bd4080bd94a4ba2ff6b7ac1ccc6ef8e11eb22d9b30e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
f4ec3847ddbc539e8d5c1d3d3dcc4c25

SHA1
38efe1a4b4b7d3d558d28f7368129fd0305683e8

SHA256
9bd32a59b06737b8ad5d6d6ba05fefa18e2c3e34e68b32d313a2d0f1cd83171f

SHA512
ff8811db3518daf727f1120b5ac06493d6ea54bb963b616e92dd81b0e3e405aedbb75df0c7380ccd9ab806c3bb224f84b22724f1e92fa707caac1d1f0d763ef4

Download Submit

Analysis

Sharing