neconyd | f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c

General

Target

f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe
Size

72KB
MD5

71217ef9bc8fb2678221d2fdc3760f90
SHA1

5cd3794c1f6ac6b7ec34c7b9fd0389e9943d400c
SHA256

f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c
SHA512

32652b61fc9d56d7f338d85a2f87db0acd233d64d4f769428cba122fd241dee1f049f7d04d518ca32775fa842c18a7698fc00d3b3df96c6d9a32ef6788f645ef
SSDEEP

1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211t:KdseIOMEZEyFjEOFqTiQm5l/5211t

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2028	omsecor.exe
548	omsecor.exe
1964	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2408	f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe
2408	f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe
2028	omsecor.exe
2028	omsecor.exe
548	omsecor.exe
548	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2028	2408	f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe	30
PID 2408 wrote to memory of 2028	2408	f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe	30
PID 2408 wrote to memory of 2028	2408	f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe	30
PID 2408 wrote to memory of 2028	2408	f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe	30
PID 2028 wrote to memory of 548	2028	omsecor.exe	33
PID 2028 wrote to memory of 548	2028	omsecor.exe	33
PID 2028 wrote to memory of 548	2028	omsecor.exe	33
PID 2028 wrote to memory of 548	2028	omsecor.exe	33
PID 548 wrote to memory of 1964	548	omsecor.exe	34
PID 548 wrote to memory of 1964	548	omsecor.exe	34
PID 548 wrote to memory of 1964	548	omsecor.exe	34
PID 548 wrote to memory of 1964	548	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe
"C:\Users\Admin\AppData\Local\Temp\f44ff06af34beaf144ef042998ba79e111e74bfc9a0f9b08fb0f39acfd37f02c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
195a82aaf67cfd82dea64d6f54dc5e3c

SHA1
a27f39cd5e09a420677e80699e3195f57db3c8ac

SHA256
72b3171fe3e2d0ba46ca49259954040fcddb7a1246e92ff985e92f04f36487e0

SHA512
cd3e4052474eec523bafeb315271ac8a29a6dc1393a756363ee20e85cae2fe812e2c8d8942ef08591459dfeb2518732a376c0788cc1d10a329457c8398b4e4e8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
0e5f284e0da5060f0edead787517150f

SHA1
63c8a565307faec4ac30a0270e060024d52d43c0

SHA256
87ec6acff74f7740d3b43ec4c4849529dd6d7edd659dcfbeefcf23d370af87bf

SHA512
bbc016c5f848c71e5d6621fc2ed69e2c7228fde2f0fa44c5260450f6e8419ad11520ee68091c00816ad8a926faa8db30735d86661268dfac167129c9eec106e2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
3a6c91ee91df6c635e3548f550a35402

SHA1
3a63b4ab4a5609df10dab8041653c2287ba33563

SHA256
dcadfc5e5c57851174622b300b9d8674c8821298d0bcd4c0532071e21a5ac780

SHA512
7f8787a7d21783bc4b66f8c5a4c201bbd588d9b5715803268193abf11232e9e1880003f4d9f6499271dae06a84e1a42af71a797f4d75b80d6f92c0a3a6e2eb69

Download Submit

Analysis

Sharing