neconyd | b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051

General

Target

b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe
Size

76KB
MD5

1db49f4dbdeb0bb3961f6e1b06ae516b
SHA1

0c139e5e310812636f56024d31fa5d6c88420fec
SHA256

b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051
SHA512

fa3b5f209f8df73aeeae7ed84a970fef36ad4abe329d53daf92253f65041bbf027631a9522e5d63c3a1baa20487d7148906b0af134c3bc603c8537b9ddf9535a
SSDEEP

768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWJ:MbIvYvZEyFKF6N4yS+AQmZTl/5OJ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2580	omsecor.exe
2512	omsecor.exe
608	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2420	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe
2420	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe
2580	omsecor.exe
2580	omsecor.exe
2512	omsecor.exe
2512	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2580	2420	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe	29
PID 2420 wrote to memory of 2580	2420	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe	29
PID 2420 wrote to memory of 2580	2420	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe	29
PID 2420 wrote to memory of 2580	2420	b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe	29
PID 2580 wrote to memory of 2512	2580	omsecor.exe	31
PID 2580 wrote to memory of 2512	2580	omsecor.exe	31
PID 2580 wrote to memory of 2512	2580	omsecor.exe	31
PID 2580 wrote to memory of 2512	2580	omsecor.exe	31
PID 2512 wrote to memory of 608	2512	omsecor.exe	32
PID 2512 wrote to memory of 608	2512	omsecor.exe	32
PID 2512 wrote to memory of 608	2512	omsecor.exe	32
PID 2512 wrote to memory of 608	2512	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe
"C:\Users\Admin\AppData\Local\Temp\b23c0a605ffc12c091846693ac1a8a41d6cb1a29cea4e5f4b9b6744b3dc18051.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
21627f41c544ab697821507a7705cd79

SHA1
72ecfebefab911afc2872f07aafc65562098f48c

SHA256
b5852f8df9faa0bac6238f8a127f4086a2bd2f30a7d3538883b4ce3a6809dfce

SHA512
7737e02e391587c7a2342787ad6909acebd29a34fdce619e401397d61bb67720b9d037d6c78473bc0d6e86451e4b9fc09052ecd53ef528ddf6f43804d9fe6356

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
8486bc990cc2239c6ae8c11925e2c3ac

SHA1
ae4a7f3aab01d78435d383c358969e558b7a64a8

SHA256
5e42eead044de70b980038c97bbe1ce922ea9d08a17b8d20dae6e92ecbf33af8

SHA512
9e3030901bc9f927863fc88e605408f8d350d6c318e9e079871f886b2a6f5e4b3d8e147e1d94a595d9ee0ae3d39d957c2c8f012cdd41590027a4c57f04303778

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
9e2a97e3f3ee223e1468ed6344abb467

SHA1
a7cf52b4d182cee89fa91f74a9b8a5bd5b8bbce9

SHA256
92d204e1e034521608bbdb16786c6d7c7b1628f3cfa2732b94c4ec0b1cbffeb8

SHA512
731f1f98080368323a9f9df0d03c67bc2c04ae3529ff44a6c8260b3ded9c69b32b6ada855df6f9851b7b0ba5df3b19fab034699c1a89dbc8bc9c22f51e13fc4d

Download Submit

Analysis

Sharing