neconyd | b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389

General

Target

b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe
Size

80KB
MD5

e859b474b7545ffa83e375b8bdce5c5e
SHA1

741022331bc43fe920ec14e2bd0ca3802140f078
SHA256

b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389
SHA512

20039dc5131949439af5a6425754661de1b00de5648417f05c4a17ec02ddc45e305bf3600c678d9a0524445cf194bc8268217d06c1786ce859472c7f0fa4820f
SSDEEP

1536:9d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzL:1dseIOMEZEyFjEOFqTiQmOl/5xPvwP

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1680	omsecor.exe
1468	omsecor.exe
1972	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2524	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe
2524	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe
1680	omsecor.exe
1680	omsecor.exe
1468	omsecor.exe
1468	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1680	2524	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe	30
PID 2524 wrote to memory of 1680	2524	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe	30
PID 2524 wrote to memory of 1680	2524	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe	30
PID 2524 wrote to memory of 1680	2524	b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe	30
PID 1680 wrote to memory of 1468	1680	omsecor.exe	33
PID 1680 wrote to memory of 1468	1680	omsecor.exe	33
PID 1680 wrote to memory of 1468	1680	omsecor.exe	33
PID 1680 wrote to memory of 1468	1680	omsecor.exe	33
PID 1468 wrote to memory of 1972	1468	omsecor.exe	34
PID 1468 wrote to memory of 1972	1468	omsecor.exe	34
PID 1468 wrote to memory of 1972	1468	omsecor.exe	34
PID 1468 wrote to memory of 1972	1468	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe
"C:\Users\Admin\AppData\Local\Temp\b294e73b9c8f66f1d452ae6ea3c7f58cff998bc6995f55f084f6f04c6714f389.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
994c7acee8247da233ff830136661205

SHA1
10f095dc71cdedc5a26036f23242c45bb2a18427

SHA256
0868407dfd91c98c49a1eb89314a7f53cad13634a02a841d8195c95e6b95e557

SHA512
1300312fde675959a1c931ffb3271bd4898db1015d056c9fcf683085635300f28980b1de2f9146cc2cc7b13a652876653766621679d3b9cbf7df0fe31a512f35

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
62ed41fd2b434afd520ca2855abe2951

SHA1
329fe5264b1239765586e771b06db45bc0f0637d

SHA256
2faf885b46e9b8b92822cd3548afc1d77679c4a16e201fc6c29608681a4424b7

SHA512
51d10dd4f4656d6bc202411f698ba75664347ac3b2ae648a6f58fadbc0b8c2af2326272766e27fad6278334ba4b8b8761f9f6d1dee23d7d0fd30f5242b80ad77

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
b93330524359e5f5981737b653322f18

SHA1
9d028cf336b571bd910e2d6a609d7300a19685c1

SHA256
d6bc57ccb00c28480c491c83964ef82d87cab8e37520e1b267f67d20db222ebe

SHA512
28094b50af3c4a8e8868f566a21a9b6e0a68802d251fe148d186f2a88dcf81e7e91becaa976a032cd31abf9977c110fb7cfefb721b3c8c641064d7a44f3e264c

Download Submit

Analysis

Sharing