neconyd | 075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f

General

Target

075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe
Size

72KB
MD5

882b21ffea45df06e8d491977cc09462
SHA1

4854d5ce9493caa4951194c1e467d048f7217e09
SHA256

075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f
SHA512

facd894cb976006124b2de29886b2e47d147addd4fba162e18a3126f02aac74acbe4bf63edafc6011376a1b9e09f3da351a114c1225fea2a0fa4827802018f37
SSDEEP

1536:Sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211H:idseIOMEZEyFjEOFqTiQm5l/5211H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1544	omsecor.exe
676	omsecor.exe
2964	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2516	075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe
2516	075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe
1544	omsecor.exe
1544	omsecor.exe
676	omsecor.exe
676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1544	2516	075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe	30
PID 2516 wrote to memory of 1544	2516	075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe	30
PID 2516 wrote to memory of 1544	2516	075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe	30
PID 2516 wrote to memory of 1544	2516	075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe	30
PID 1544 wrote to memory of 676	1544	omsecor.exe	33
PID 1544 wrote to memory of 676	1544	omsecor.exe	33
PID 1544 wrote to memory of 676	1544	omsecor.exe	33
PID 1544 wrote to memory of 676	1544	omsecor.exe	33
PID 676 wrote to memory of 2964	676	omsecor.exe	34
PID 676 wrote to memory of 2964	676	omsecor.exe	34
PID 676 wrote to memory of 2964	676	omsecor.exe	34
PID 676 wrote to memory of 2964	676	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe
"C:\Users\Admin\AppData\Local\Temp\075edd3335fbf4aab941b41eea8c89fb25d2f0afe11728a353947a67681fa90f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
eaaf978fdf8d8db549b8ff9851e0d67b

SHA1
e76f47deabcf316ccab88b40f5d0033c2e27c2df

SHA256
1628ae8e50ed4c9d4a61b0f4bfa1b087425f889e0b3dc14fd537411ce5dd92b3

SHA512
eb25cf3c79ed7e5c8eb059dc7bd9604b1c268d1e54444c668a69d7202c7feaf8684cf8fda8f190fd75371dcbcb9d043cb08500c33077da4f8dc4b47146e73001

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
57221298201af49b3255a9165f050547

SHA1
dd08fb4d92370fd360f154ec7ff6cda86522cb92

SHA256
c637ebe7e1efdf4f3e6771b3f89c25c0e361db902641b2a8f5b6a2b71181ce71

SHA512
10675927553b1e7d503c98d209aef7d54ee61cac6163ee0ed167305af33474c6aac5072bd3d871c4538b014a96b7f5d45daccbef0789f5f8e9d30531cb419271

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
fb562f8f42428c981593aeeb3c0bfd3f

SHA1
d79f19e9e64a2194574a696aff5501419d3806fb

SHA256
e4e473baef609dd04a023f0c9f56912875f4c2fe9dcde2a81fb9a1ce465cd1d8

SHA512
ae6a82d7d7279b9c9c5a79e287eebad6da1a843ff7d199a036ef5317c18e6a50ca733ebdb44a6b7d079f21722f43ce95d15da8356753adc5cba41f2aa90d6b4b

Download Submit

Analysis

Sharing