neconyd | 65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3

General

Target

65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe
Size

33KB
MD5

b4fb7aa55093dabeb9843970eb9914d1
SHA1

bb1aab0f590f8771b286ff584da3ad6000a7fdf1
SHA256

65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3
SHA512

1bf4345bd11957f2a66000b8a5253970ab2cc275d83d83ab035a56da6bad87b1607af3d1d29af8a2606ea1da9247478f2913bf89ea009c97ba467d563a0f55e1
SSDEEP

768:/fVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D/:/fVRztyHo8QNHTk0qE5fslvN/956qo

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3924	omsecor.exe
1440	omsecor.exe
3728	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3924	916	65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe	82
PID 916 wrote to memory of 3924	916	65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe	82
PID 916 wrote to memory of 3924	916	65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe	82
PID 3924 wrote to memory of 1440	3924	omsecor.exe	92
PID 3924 wrote to memory of 1440	3924	omsecor.exe	92
PID 3924 wrote to memory of 1440	3924	omsecor.exe	92
PID 1440 wrote to memory of 3728	1440	omsecor.exe	93
PID 1440 wrote to memory of 3728	1440	omsecor.exe	93
PID 1440 wrote to memory of 3728	1440	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe
"C:\Users\Admin\AppData\Local\Temp\65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
919ae0ec9c3e1084958861857015343f

SHA1
1e998d055c16d1f8bea112617552926078e36956

SHA256
005444b43ba4fc7a1893d950cdc4134543410a7b15c33f9d24d95e0816b2bc4e

SHA512
9344676e5c9d6527e5ff4044d82a36702ed12203f8d096cf75f770b0457f7592cbb7443b425c13009cdab5433892711e8d77904b0891ae74aa6bad81700392a8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
e93700c04a2acca4562f5e8bc520dfe2

SHA1
36a38201996dd8f8a45497c2e02faa421366dfc0

SHA256
b3f090aea96180d067de8acbd2ba30d89e70c9ae74fd281434e9b04be29b10ff

SHA512
02793a34a59bf4bf1f854a812e513e8122fe63d4c32cdbc21217c6924f7809667c77d4a212b6e365be67e6b641a2dac1ca03036fb206e64ef40368108a69811d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
85b92d0cb421f0d743be50fe6deeac1b

SHA1
8983d81b0cafe1d5a50e1231627eb64a15e369c1

SHA256
b414e6f801ae021638bd82e47a2b2d1ec310179d9c9e8e4ec03e1924ffd4196c

SHA512
9b122601d1a7281966b59735446e67dfca09e8b3b18725f5a5d33abb147dd27122adab394879fd73ad256b6461e22ea56c83b8d95337f948c53a7e0e548586c9

Download Submit
memory/916-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/916-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1440-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1440-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3728-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3728-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3728-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing