neconyd | 0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e

General

Target

0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
Size

89KB
MD5

cef4897610743d42e2166379784d01fc
SHA1

1917e52e8476c756bc1930afca8f283aa33688d5
SHA256

0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e
SHA512

cb905e9435a3ae511c8261a31e555fc03d658cc2ae4bc004fe3755391b5935b3be2fb152fcd4c92147cce7013dd2c156e38f53722f2c30f72c8e28ec29ad507d
SSDEEP

768:FMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAd:FbIvYvZEyFKF6N4yS+AQmZTl/5l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1668	omsecor.exe
1048	omsecor.exe
568	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3044	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
3044	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
1668	omsecor.exe
1668	omsecor.exe
1048	omsecor.exe
1048	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1668	3044	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	30
PID 3044 wrote to memory of 1668	3044	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	30
PID 3044 wrote to memory of 1668	3044	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	30
PID 3044 wrote to memory of 1668	3044	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	30
PID 1668 wrote to memory of 1048	1668	omsecor.exe	33
PID 1668 wrote to memory of 1048	1668	omsecor.exe	33
PID 1668 wrote to memory of 1048	1668	omsecor.exe	33
PID 1668 wrote to memory of 1048	1668	omsecor.exe	33
PID 1048 wrote to memory of 568	1048	omsecor.exe	34
PID 1048 wrote to memory of 568	1048	omsecor.exe	34
PID 1048 wrote to memory of 568	1048	omsecor.exe	34
PID 1048 wrote to memory of 568	1048	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
"C:\Users\Admin\AppData\Local\Temp\0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
986ba34f68eef4300641c5106fd9897c

SHA1
588e12e8a229efed7afe3dc537b880bff62607dc

SHA256
bd9510334fee11168f0a6934f6e17237d6842088ac7c4cab33118478d0ba4c18

SHA512
039272075e836c5914f479180f701c6b047d877b2fd7cf345997870dbf1c606684116a068e945efaa34ab7416048ff50e163c2ca85c7a6f681b1865553de58d7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
7c3a0bcd5bf2eb9701d4a55ca7598292

SHA1
caad1f2acd7c4492c3b6305360f63be785b3633a

SHA256
c259171d39a39a60d7b22f6e8d1aed3913dff1ae100d736d1be2d05c5b5b98db

SHA512
5ba3692e60a295bc64a814a74cd2667fe01494c1adecd52cd7ce35837b87bd0105d126e12c136c7d8a26844d90cd22cbfb7b6c93aa3a55d5ba6ec985ec13ceb7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
b00254522105869eb9952522d09b082d

SHA1
e77242bc2cfca88decaca98a49e9dba55ad5be08

SHA256
1650d78dc31aa4fb77b21516b98a76f17da7093614498404a73ccf3e9013d20d

SHA512
0f09b2e03d87f656357207023d59c753a81a51d2a3240657e7f29bf2cf8ed3e21b494527908d3a0e742462434e1d27f693cc03db6090d430b67ad97608b772f3

Download Submit

Analysis

Sharing