neconyd | ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52

General

Target

ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe
Size

80KB
MD5

9470866f27507e29f99d1ec06e9a9420
SHA1

d41cb77c832d9201f50c966508e75d97c59f85df
SHA256

ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52
SHA512

622d320fdd22431e5e068539b3704ac80ca994062d7d73f22c1b1ac316c7b82ba790a05eb0205105b444a7e5a31402f7ff193dbdab8ce413634420f7071dbff1
SSDEEP

1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:2dseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
936	omsecor.exe
1676	omsecor.exe
1372	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2452	ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe
2452	ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe
936	omsecor.exe
936	omsecor.exe
1676	omsecor.exe
1676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 936	2452	ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe	31
PID 2452 wrote to memory of 936	2452	ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe	31
PID 2452 wrote to memory of 936	2452	ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe	31
PID 2452 wrote to memory of 936	2452	ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe	31
PID 936 wrote to memory of 1676	936	omsecor.exe	34
PID 936 wrote to memory of 1676	936	omsecor.exe	34
PID 936 wrote to memory of 1676	936	omsecor.exe	34
PID 936 wrote to memory of 1676	936	omsecor.exe	34
PID 1676 wrote to memory of 1372	1676	omsecor.exe	35
PID 1676 wrote to memory of 1372	1676	omsecor.exe	35
PID 1676 wrote to memory of 1372	1676	omsecor.exe	35
PID 1676 wrote to memory of 1372	1676	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe
"C:\Users\Admin\AppData\Local\Temp\ce3f90337ff828af2c03fa476948061e41a7ceb9982dfb116c315dd77271ee52N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
05fb1bd5a07f2af2f887d2d050bc7150

SHA1
95d4377c79e2807bcb0429c3140280908cdef99b

SHA256
5493709f2597c32d542fc38e26f7e5ba06e145ab697745cbb4fa808c8e980086

SHA512
cbc9344f723abffda13c6be833e6597a8b24721f73792a322ff9a7c5f3a5425528f94ce9db71dd63d38181441a3e958160a2ac05bc53ad05ceca0776a65144cb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
031349407a049e3e337d8dd6609c2dd1

SHA1
0c784e1feef2ab7a0db4d8d61890c078ad326553

SHA256
6bb3f7cb43c76b0f0bb2b29926797b50b494841db45dd8fc89c4b504b45bcd24

SHA512
19463244f10675e638494e427885bd5bb165f7b092f07d5d100b9a9bd732bf4894159e71f3c59bf649e3e76c1826a88c1667ba39168b8d0d893bc0ff7ba7be49

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
ec26ed824f10c2c5c4956e47435d8067

SHA1
f8a8a2682ebb1fc7ca3ff9f44651238b468bf7ca

SHA256
beeb82c116b0a9ccd8b0936aa43677f98329d8d5618b7909c94f6b5480b05e71

SHA512
465d7f05d9e6e626cc62faa1d416fac54727a3117ea24338a4fdb283e75990697864e01e22973c7be2b3d35a76eab63bf16e792221f0d1b9e23dc9f648bddd35

Download Submit

Analysis

Sharing