neconyd | f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8

General

Target

f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe
Size

76KB
MD5

4447ea922b2b000f75a49c8adadcb6e7
SHA1

cf5eb0b0c8d43f834ba112a93495f1bdfef41220
SHA256

f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8
SHA512

f43ea8dd067d074f70e84bc2beeadd1d3bdd8417cfec32ca068282e5cfa2abd56464ed1b4d74443d4577053d01fac199042332d93adaa6b95346b86ee1dcc5a1
SSDEEP

768:aMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWZ:abIvYvZEyFKF6N4yS+AQmZTl/5OZ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1340	omsecor.exe
800	omsecor.exe
476	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2656	f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe
2656	f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe
1340	omsecor.exe
1340	omsecor.exe
800	omsecor.exe
800	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1340	2656	f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe	31
PID 2656 wrote to memory of 1340	2656	f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe	31
PID 2656 wrote to memory of 1340	2656	f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe	31
PID 2656 wrote to memory of 1340	2656	f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe	31
PID 1340 wrote to memory of 800	1340	omsecor.exe	34
PID 1340 wrote to memory of 800	1340	omsecor.exe	34
PID 1340 wrote to memory of 800	1340	omsecor.exe	34
PID 1340 wrote to memory of 800	1340	omsecor.exe	34
PID 800 wrote to memory of 476	800	omsecor.exe	35
PID 800 wrote to memory of 476	800	omsecor.exe	35
PID 800 wrote to memory of 476	800	omsecor.exe	35
PID 800 wrote to memory of 476	800	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe
"C:\Users\Admin\AppData\Local\Temp\f8ef32d15ea9973e8e0cc584c6a01a85de54fc32e528858f3ba54b50705871f8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
831abdbc29464542f622700b4864082e

SHA1
333ba113ef3c4570e40abdc37438ce7553beedb3

SHA256
2a4c8e8edb3282080cf36bdf3069d106bf4e981f38a4ef2c1bd54d0f81d1fad4

SHA512
f3051f82952af902390d074505d7931edb06a876ae3d7b743ca4f9c8915c769eed169ca1476f2338b4983dd6a3183e11dc93b36d326f5cbf2d5f22849d982f95

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
21c6e9b59db574faf80c02c28c6069aa

SHA1
f7e2666484fb854714919fc2384419aaf5bb056a

SHA256
63554ea2e688acc96dfceffc39177812a3277df34a859edeb850a8cd31ebee95

SHA512
765c8f805f280301e7c17fadc11360ca7adb8cf23a2934fd78c6bd4ae56183dc80f9a0abab7b298c01a113d55cd3778704fdbe8c549db1f7eeb010e29e0730c5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
ca1a1f201f7d925f70baedde4009a039

SHA1
c4af5c28ae8d4bf8726b6c3eee1b80521d4c7a27

SHA256
e75697451c1abf09a124170f9be51bbac98686994d4c8f4d080e7d5a32f5a45b

SHA512
f4f7ef5a24e236dc6c096edd4e6468abdded533f176a356a56e4a7a8286a491b9932312c86bdac64687b96e93df507ff1014390d3a8da7ddebaef6b915e8321e

Download Submit

Analysis

Sharing