neconyd | cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4c

General

Target

cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe
Size

61KB
MD5

a8389fcebedd36a14db2fbda1c78f590
SHA1

27f1057591682c031a0b9c4012f94ccfd0c3ec29
SHA256

cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4c
SHA512

10d2bb0ea7b97a87403d354f1a8789f5bd02175b279d136cebd0365dc80ec60297543e4c9dfbdd690d65270b72e1dba4dc19e3228f1acc23ded399f2ebfac569
SSDEEP

1536:ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5:GdseIOMEZEyFjEOFqTiQmPl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2404	omsecor.exe
1224	omsecor.exe
2796	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2108	cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe
2108	cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe
2404	omsecor.exe
2404	omsecor.exe
1224	omsecor.exe
1224	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2404	2108	cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe	30
PID 2108 wrote to memory of 2404	2108	cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe	30
PID 2108 wrote to memory of 2404	2108	cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe	30
PID 2108 wrote to memory of 2404	2108	cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe	30
PID 2404 wrote to memory of 1224	2404	omsecor.exe	33
PID 2404 wrote to memory of 1224	2404	omsecor.exe	33
PID 2404 wrote to memory of 1224	2404	omsecor.exe	33
PID 2404 wrote to memory of 1224	2404	omsecor.exe	33
PID 1224 wrote to memory of 2796	1224	omsecor.exe	34
PID 1224 wrote to memory of 2796	1224	omsecor.exe	34
PID 1224 wrote to memory of 2796	1224	omsecor.exe	34
PID 1224 wrote to memory of 2796	1224	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe
"C:\Users\Admin\AppData\Local\Temp\cd618e10c46e0951a984837e367f2f4b443dce19a997c1d5ec8d5ba8c510fa4cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
f5737b5fe925008e3c159271d43d22b5

SHA1
365a8bb9b2b42391687b5fadd646c65e73628127

SHA256
1094cdc9c88f741e5e4fc498782689b56bbe073818b51a5a8eba9a6b89bc7390

SHA512
4919344ee128289f0747fbff76fff2ab67eb90ac628785f5cf5a0c7bc895bc90510435aa01ad273c3e0a6560ff628b62f9a733f28626c10457fc5270b5f66790

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4c58afffe1d30c48df5d9846321a94e4

SHA1
eadb23c91e0c12bf41c871e6e46090440d2abf56

SHA256
cb0fc3e3156f87fcfbfa01cc621d82176ef6bb6f9a3e6426436b5b67a6c79251

SHA512
4dd4e8804a13597895cba8ccd60220ac73ad195990ed1934518a5d733ba133b586744b8d46041a20860762bd5246ddd0b7a66cf64aa4db1b858d570bd6db589a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
c7f2b986e8813272bd9aa06509aea2f4

SHA1
9121cf3a39f9118d0ed7daed31d597937392089d

SHA256
f2e0fbcff24cb15713949770e4bb182e3ff7e5b2ca7d828c6a92d685badbbb9f

SHA512
aa50f961ec52a70576f506b3e26197fb4f37f7ddd686c5979d8b7157a11cf717589179f6f7a1781c0d7ea0936f515e8ef1a76b17e52411dc489c5c1069efe707

Download Submit

Analysis

Sharing