neconyd | f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36

General

Target

f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe
Size

80KB
MD5

c15d9fdf5c446b1c175a66be1ad84e25
SHA1

83c24c21624667175e4c8d5cac539312c75706e0
SHA256

f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36
SHA512

ebfb468ddc390972b7cfd3db666b52587a64112b633aab457368d02e0881cd505627f8a14f506ede91dc06a422c7e82950fb67fa3ac0c0e3694ec325b06180bd
SSDEEP

1536:Sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:idseIOMEZEyFjEOFqTiQmOl/5xPvw/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1748	omsecor.exe
1988	omsecor.exe
2900	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2772	f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe
2772	f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe
1748	omsecor.exe
1748	omsecor.exe
1988	omsecor.exe
1988	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 1748	2772	f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe	30
PID 2772 wrote to memory of 1748	2772	f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe	30
PID 2772 wrote to memory of 1748	2772	f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe	30
PID 2772 wrote to memory of 1748	2772	f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe	30
PID 1748 wrote to memory of 1988	1748	omsecor.exe	32
PID 1748 wrote to memory of 1988	1748	omsecor.exe	32
PID 1748 wrote to memory of 1988	1748	omsecor.exe	32
PID 1748 wrote to memory of 1988	1748	omsecor.exe	32
PID 1988 wrote to memory of 2900	1988	omsecor.exe	33
PID 1988 wrote to memory of 2900	1988	omsecor.exe	33
PID 1988 wrote to memory of 2900	1988	omsecor.exe	33
PID 1988 wrote to memory of 2900	1988	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe
"C:\Users\Admin\AppData\Local\Temp\f9f8076b87c8d6855ef682bbbdc4aebbaf1d8cff2d86be2ae1175dcc8e89ad36.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
3529d1fcb7c41c92a37900381618d158

SHA1
9a9f8cfdd6f1366e7e4866f2ce5f5f39e3d05be2

SHA256
deb8c3d0ac3937d9acd785511f560ef04a29bd5b664d282d47e85a28a8847f2f

SHA512
037899757ba1722d2e5c1c0b1c3ffaf6c9ed022186db2b1e7cbaf74504dbe4fa826a16d9604f015a78c980a7fddb0cde88a9af224a279fdee22cbd30e0e92a3f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
e26c5ed03c43d9cf71d65a38c6094673

SHA1
e36fd8f0bbd32e921f25cb697c0acaa4f3c6400d

SHA256
fbc7e037b45ee8d0fbee6bd2a6c1478534cf1c84e0b9f62650048bdf43572a08

SHA512
b6d488efa86095744b0864518a4ef33de076e70eda8b0342d7d10b0d1f652641eac933147a5f396901d01314059ca4c38d391d9a79c38fc6dce6318e4446a5e4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
3bc109aa7d8b160930a1c1d93ef90394

SHA1
a3eb43a93d4ed673f688bc9af8503a7e3d34babf

SHA256
b120a8a903aa3947809b5ce0fff71d67ff7aa1500defe21e32395e247d4eb447

SHA512
7a9f34f857ec65099ad39d67c37c0d53ac21b13d1addbb45420bf1d78c8be9802d58a5627a0b4d97c24172d4931cbe8be5b12c4e2af73baef8191c3e895c1dfa

Download Submit

Analysis

Sharing