neconyd | 0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e

General

Target

0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
Size

89KB
MD5

cef4897610743d42e2166379784d01fc
SHA1

1917e52e8476c756bc1930afca8f283aa33688d5
SHA256

0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e
SHA512

cb905e9435a3ae511c8261a31e555fc03d658cc2ae4bc004fe3755391b5935b3be2fb152fcd4c92147cce7013dd2c156e38f53722f2c30f72c8e28ec29ad507d
SSDEEP

768:FMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAd:FbIvYvZEyFKF6N4yS+AQmZTl/5l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2376	omsecor.exe
616	omsecor.exe
2904	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2500	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
2500	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
2376	omsecor.exe
2376	omsecor.exe
616	omsecor.exe
616	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2376	2500	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	30
PID 2500 wrote to memory of 2376	2500	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	30
PID 2500 wrote to memory of 2376	2500	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	30
PID 2500 wrote to memory of 2376	2500	0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe	30
PID 2376 wrote to memory of 616	2376	omsecor.exe	33
PID 2376 wrote to memory of 616	2376	omsecor.exe	33
PID 2376 wrote to memory of 616	2376	omsecor.exe	33
PID 2376 wrote to memory of 616	2376	omsecor.exe	33
PID 616 wrote to memory of 2904	616	omsecor.exe	34
PID 616 wrote to memory of 2904	616	omsecor.exe	34
PID 616 wrote to memory of 2904	616	omsecor.exe	34
PID 616 wrote to memory of 2904	616	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe
"C:\Users\Admin\AppData\Local\Temp\0144d737c53ae8076c36c47dc86deeba349f6dedb2ab7d449ade92d7b5dc6f5e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
ed131a701dd9adaf5508475e1e53d536

SHA1
b0acaec527fcab2695d6a3f358596e99305bf03f

SHA256
6b07b1de71c071bb20c62ae8f54384c1ee404e7fce8cb8ec0f25feec4f16e750

SHA512
746bdf7d3dab2aeeb8053a1b64675a66a49584ba8d1f69a12291929116d5505c60f58fb590be5806095fa1aa7b69a18f0457af99261c970f4c8391cfa37269f3

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
986ba34f68eef4300641c5106fd9897c

SHA1
588e12e8a229efed7afe3dc537b880bff62607dc

SHA256
bd9510334fee11168f0a6934f6e17237d6842088ac7c4cab33118478d0ba4c18

SHA512
039272075e836c5914f479180f701c6b047d877b2fd7cf345997870dbf1c606684116a068e945efaa34ab7416048ff50e163c2ca85c7a6f681b1865553de58d7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
da9252a099f397bacb7ab73ad0d14cbd

SHA1
f376b7a860856f858ff8761d27d7cba97b8281d1

SHA256
41f05966b41a8723958540b858af1eb1a2c6941ced1f85f6fdf3c32f1fe2a030

SHA512
0240af82cbddbe334230352cfee40f94e505757e9e582dbf64da481a07c9ca9f2c62813abf98d133d7866a15cccda753e17bcf46bd63fcccc41c0d34763d2b23

Download Submit

Analysis

Sharing