neconyd | 942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126

General

Target

942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe
Size

76KB
MD5

f631c17e6769f71b0836e606bd8fc5b0
SHA1

cff9c884387f2790d6e6565ceae64a9c9cb92dc0
SHA256

942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126
SHA512

1049d9f39d70bade985f0de953689488677e369d5b695422794867a66d05cf8f4df04440182b2b76a7ca6e412da131fa70af2291f0f6fe42343d84151eed53ee
SSDEEP

768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:mbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2076	omsecor.exe
980	omsecor.exe
1504	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
800	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe
800	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe
2076	omsecor.exe
2076	omsecor.exe
980	omsecor.exe
980	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 2076	800	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe	30
PID 800 wrote to memory of 2076	800	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe	30
PID 800 wrote to memory of 2076	800	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe	30
PID 800 wrote to memory of 2076	800	942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe	30
PID 2076 wrote to memory of 980	2076	omsecor.exe	33
PID 2076 wrote to memory of 980	2076	omsecor.exe	33
PID 2076 wrote to memory of 980	2076	omsecor.exe	33
PID 2076 wrote to memory of 980	2076	omsecor.exe	33
PID 980 wrote to memory of 1504	980	omsecor.exe	34
PID 980 wrote to memory of 1504	980	omsecor.exe	34
PID 980 wrote to memory of 1504	980	omsecor.exe	34
PID 980 wrote to memory of 1504	980	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe
"C:\Users\Admin\AppData\Local\Temp\942ec238b7ac93df2cde0d9dde2ef83ea2df05719611ac7c02f0c8561c50b126N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
74a63a3b32f0977396008d8553228e51

SHA1
4385d3359db01174a045a2a31658c2dc88282262

SHA256
1597be816a994bb52d8f5ab9de91955219fe5ba4b64bc511df70a891cb58bcdc

SHA512
e3bf8a51f84411e83d80abed2ef7f30acd6483810d5a59f57dfc385a53f780c012495519aabc94b99b1256878a934c2298a55db0342d030146f6bd99598bb0d5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
1046792cb8011bb10d81beb9b3ee936b

SHA1
d1e7c28d01ec47064bd9eb14f4f0f469afb7669c

SHA256
cc6f99c4e89d5e84fe3d5d20d3de2283a709f63c5c1d538218b7efe55f80c6b1

SHA512
87f5fc35c3ce970523e8aeb59794833ffe33a3a2851d8eddd4a754d7d8bec182286a10270fe34f1fed31805305dddc7bfe683fc066620d2a5ab1960c01947415

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
c73d74f403950225c0d858f4e6419eab

SHA1
652d11b22cd212ee5eaec6062b24cebeb94716e8

SHA256
1797be3dfa550bacf7db88c109570ff002bb6afc6a8e9ab6a1216e6f1ee655f9

SHA512
f6bdcd381acecccc5d19f61cec84a0011ff3b631bb735f57a66e013eee96eda21daefaf8a9dc0a9f15867066da520edfa8fd49f31eb203cab69d8f5cd65c28f3

Download Submit

Analysis

Sharing