neconyd | 981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9

General

Target

981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe
Size

61KB
MD5

1d429541a12776cd14dff027a4dbd4ff
SHA1

ccfc261cb2cd7e534957f8f90c1d6869a4ac3cd5
SHA256

981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9
SHA512

05c1ebaa68292a96ac52e4ede6524b1c3907d72e81c479bf842b0222bb30a5413ec3aef53eacbc3b389a24c57041d715876e326626c117dea59340dd069a7f37
SSDEEP

1536:ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5/:GdseIOMEZEyFjEOFqTiQmPl/5/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2416	omsecor.exe
1700	omsecor.exe
1488	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2660	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe
2660	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe
2416	omsecor.exe
2416	omsecor.exe
1700	omsecor.exe
1700	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2416	2660	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe	30
PID 2660 wrote to memory of 2416	2660	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe	30
PID 2660 wrote to memory of 2416	2660	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe	30
PID 2660 wrote to memory of 2416	2660	981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe	30
PID 2416 wrote to memory of 1700	2416	omsecor.exe	33
PID 2416 wrote to memory of 1700	2416	omsecor.exe	33
PID 2416 wrote to memory of 1700	2416	omsecor.exe	33
PID 2416 wrote to memory of 1700	2416	omsecor.exe	33
PID 1700 wrote to memory of 1488	1700	omsecor.exe	34
PID 1700 wrote to memory of 1488	1700	omsecor.exe	34
PID 1700 wrote to memory of 1488	1700	omsecor.exe	34
PID 1700 wrote to memory of 1488	1700	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe
"C:\Users\Admin\AppData\Local\Temp\981937fdf4cd5ea4481013ddf1d3247faca74b0449477c1286a7aff2916125d9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
62a1de0ab68e289ed6c5e6e39f79ab4e

SHA1
92dbb49e36eb3c32de2bbed45412258e3d5422ab

SHA256
afa7b5a6326712c5cb5dfda7aa0a9bc2586820977316f47700d73e9d525e1514

SHA512
f23a2d444ae79ded95571562371a744ae0eaf42f4db3f22213d0ffe429061cc8b3c57bf7099ae838d62eb27e3a625c535763ea5e2f1d7d845c3deca4e29f23f6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6813bcc3399af76a248d6e841bf7e0eb

SHA1
3dd9f87d85e093dde8b991dba2b67fd293560483

SHA256
739900d2a87a9243fa42edbb54f7ff576c237fa69d4bae0c8cf09b345545a2d7

SHA512
4b72b53e479ec10ff1304738d11ea37363c785c190b9cb7a3e70fb26c62386538f64716f9d052d84c4bf0b687953d1406bab66b0c40c6e7d2215dcb75c5bd61e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
a56c6be61746e291e3f8b77644d7db03

SHA1
c6501ebad6c04e5469a327f26b6d5883cb7ac2ec

SHA256
c1772d9a73f0aeee773da4c8d67fcba0436c3b9cbeddd0ce8db14002c99a240f

SHA512
e536184a48084d3ee5641909512d225080083d01fd65c93ad72a84fd3df42081fdffb513fec1b6baf5caa0894ac80d3887239253b9e8c8479a2a004e7c4195dd

Download Submit

Analysis

Sharing