neconyd | b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69

General

Target

b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe
Size

61KB
MD5

59ada6b8a5b4b1d95057515b1872a6a3
SHA1

fb1ee815d23703c8182d9f2d4209d47678201cba
SHA256

b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69
SHA512

3afaba73b5be8cc19a1c2ef5307af9ba8ebb5924233ba22ca8e9c3d2c302b15f0bcdab8f419151058f910144c16541f7cd1db66f5895f3d0a3c67d9412debed1
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/53:edseIOMEZEyFjEOFqTiQmTl/53

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2688	omsecor.exe
2144	omsecor.exe
2868	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1728	b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe
1728	b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe
2688	omsecor.exe
2688	omsecor.exe
2144	omsecor.exe
2144	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2688	1728	b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe	30
PID 1728 wrote to memory of 2688	1728	b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe	30
PID 1728 wrote to memory of 2688	1728	b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe	30
PID 1728 wrote to memory of 2688	1728	b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe	30
PID 2688 wrote to memory of 2144	2688	omsecor.exe	33
PID 2688 wrote to memory of 2144	2688	omsecor.exe	33
PID 2688 wrote to memory of 2144	2688	omsecor.exe	33
PID 2688 wrote to memory of 2144	2688	omsecor.exe	33
PID 2144 wrote to memory of 2868	2144	omsecor.exe	34
PID 2144 wrote to memory of 2868	2144	omsecor.exe	34
PID 2144 wrote to memory of 2868	2144	omsecor.exe	34
PID 2144 wrote to memory of 2868	2144	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe
"C:\Users\Admin\AppData\Local\Temp\b01d3869bb2b2e01eda73d36b400c26411e1c883efcb281d2d4840a3fdd37d69.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6353b341752d72e1d3571499437d9bef

SHA1
f53b39ba778dcf7c52da3f42b15128068740787e

SHA256
59e51d94da228aa8c60558f80760cc064c89b0f55c6b09d1d80ce2163c553510

SHA512
5432b91ae7f2f9e8fbaf670c01506cb117e2d1c55fdffff01ee2f0f2b097b6ae851076541278ba99ef530e4f9c8290adec26ffb0868a99b23651c79de369076d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
9964def7a53a1b57431074b6be664ec6

SHA1
d9ebf51bc863222fdf5f037b07f7e98bc4c56c89

SHA256
76380946cc23666e047f4821da85adc922612ec898f26734d4a0eb8c1591275b

SHA512
16aced183ee23677c246313fd4a95b2e79ca8a8308607e7c1d6926993c2a3c65ac5a8e374dd5a6fdd7195d621c1af3aac7e0c53ab8f4ffffb67fa39db9bf4fab

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
7fe0f61e37145eea4c96ad70094b1fc0

SHA1
e71420e6260eaf0d4d7045abdf20812c2d8219f1

SHA256
3cadce1de294b82bdc5226a7f077e8d004ed680888423cf402955964006b6b21

SHA512
4e502354c18ffba94e2c968ef3e919623c5116e1cdcae931a91a928e43317e6aff189f6cff5b445518f2e2838e0ab778946c1236242e68af56ad44710ecf4a37

Download Submit

Analysis

Sharing