neconyd | 1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364

General

Target

1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe
Size

72KB
MD5

d0d94eef3c9ada4aa73022c8b99a4c4c
SHA1

0bdbfd32c96ac9c1ecd98e84b0225c398e320b54
SHA256

1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364
SHA512

3d6099a990086a9da41b28b0ac427126e13cd0fc2e850e26777131bf9764569cd046c93580cb8fb94ec14fa37e934cc42e9d5d58eb9b15224e779b6da74d6388
SSDEEP

1536:vd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/52111:HdseIOMEZEyFjEOFqTiQm5l/52111

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1628	omsecor.exe
2536	omsecor.exe
2628	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2312	1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe
2312	1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe
1628	omsecor.exe
1628	omsecor.exe
2536	omsecor.exe
2536	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1628	2312	1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe	30
PID 2312 wrote to memory of 1628	2312	1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe	30
PID 2312 wrote to memory of 1628	2312	1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe	30
PID 2312 wrote to memory of 1628	2312	1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe	30
PID 1628 wrote to memory of 2536	1628	omsecor.exe	33
PID 1628 wrote to memory of 2536	1628	omsecor.exe	33
PID 1628 wrote to memory of 2536	1628	omsecor.exe	33
PID 1628 wrote to memory of 2536	1628	omsecor.exe	33
PID 2536 wrote to memory of 2628	2536	omsecor.exe	34
PID 2536 wrote to memory of 2628	2536	omsecor.exe	34
PID 2536 wrote to memory of 2628	2536	omsecor.exe	34
PID 2536 wrote to memory of 2628	2536	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe
"C:\Users\Admin\AppData\Local\Temp\1b61b23a8eb398222acbd3e5e2a4b88dc5ce97e4f83b356aeb1d315a6a5bc364.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
5592c125815a0dd291caef8de6753601

SHA1
596134a42758ef16e562c2cfe9f162205b19eebb

SHA256
31a3042a05c55d1f54c27856cd03e229fff014d8f66bf49877d19c6dab9c9a49

SHA512
191a615e7739d2b9b92b29cd2de116b7a8a70974337271a738d2c0888494c28bf7d91a590450c5d117ac6b90643b7fa15e3f39473a97bc06104f9fe3e9c5148b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
77de2ec5f0d2192c05489570ed4cd164

SHA1
f76d6f37fcd4231edccd4d506e6b7ef739aa8725

SHA256
8db6baf2635fe415055283de863c01f3f75f2a4055b38441ff1fca34ef0e7a19

SHA512
e0a26be2c1c9766962fa1f069bbccac8142df57618d81a062d54c8e75d0b3a5c126240e3bf2ba566446a6a9c95d5073eb92506d555c5e98a4eeaa47faae3351e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
2165786d697bde8c16835d5ca353d2fe

SHA1
923e376852ef3b5056654950685a4aa36d845f2a

SHA256
99897eecdfa688cff43706a37c30bfaeda86af470ec5df6b8bf7cf2b606bc8e3

SHA512
3eb39652b525ef810a1de142cb9abdfebd7e608c3632b880f18f2193b8f003e532c5711558c8674b93b7f6c8b9f5660643eb98c6a0a625874a6def30040a0ceb

Download Submit

Analysis

Sharing