neconyd | d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6

General

Target

d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe
Size

80KB
MD5

3305fd01ff2b546d96e430ce2b038647
SHA1

6cf7578f1569816cb9af240863c614e5f95a63c7
SHA256

d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6
SHA512

889dc7490eb44e9763caf3bc20e5a9d54f8e5d562e4c4dc5816b47e790cd37008ec021878a89cd1b4c9e80da2a49838b9ac4db1ff86e476bf92d925a4f713996
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:edseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3056	omsecor.exe
2632	omsecor.exe
2392	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1720	d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe
1720	d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe
3056	omsecor.exe
3056	omsecor.exe
2632	omsecor.exe
2632	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3056	1720	d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe	30
PID 1720 wrote to memory of 3056	1720	d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe	30
PID 1720 wrote to memory of 3056	1720	d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe	30
PID 1720 wrote to memory of 3056	1720	d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe	30
PID 3056 wrote to memory of 2632	3056	omsecor.exe	33
PID 3056 wrote to memory of 2632	3056	omsecor.exe	33
PID 3056 wrote to memory of 2632	3056	omsecor.exe	33
PID 3056 wrote to memory of 2632	3056	omsecor.exe	33
PID 2632 wrote to memory of 2392	2632	omsecor.exe	34
PID 2632 wrote to memory of 2392	2632	omsecor.exe	34
PID 2632 wrote to memory of 2392	2632	omsecor.exe	34
PID 2632 wrote to memory of 2392	2632	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe
"C:\Users\Admin\AppData\Local\Temp\d5bad112ac90f5d668331ecfb13d379426f5be4d26cb1bec44a7e2a76e0d89f6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ad0407ac6e40c0920979e02254a3f518

SHA1
e2d6a509ace36c695286ee8307611451195fdef5

SHA256
e802e5c80849689f16e95d235c69e1389a3081da5a87c4eb40adda55e23e5373

SHA512
90a465d42f6152c25804efc16590c142ad8e2d40ec98f457d0c117b20abee838daa5e0496104300b7ec31924d72e6b38869f7fb2794ed9503129f5203653e89b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
00ad9c13a95d4877a83aa6b3779ad894

SHA1
a899fe6f4d3cd2b51c9acaac2d589a5ed52c3d71

SHA256
6330f0df6548466b17c8aa593865665b6511355c3e4f1d6e44c8dd47904676cb

SHA512
6076fdb6762a73e03a2a846aa03b535b24bc222060adb4ccb1816586e160ca7df3e13aea172cc86cf0ad41e4f1b43a53bb7ea153269b9ec331a1c9bf301f1c82

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
aa7ece18956c9c4882545decb0ff0319

SHA1
ca73e7ba8413dfaf8e699085808184213cf01b0f

SHA256
69c6c527f56c06e23171258a26d16bb7ee3fa2f06730109179a7ebdbf8971d16

SHA512
2965d9ad54d478b1efd892a1a453b3c5b68afb67c28712fa9c84ccde2fc4adcbdc805869704393fd7b900e635aefb4059b2fbe793d4e18810dac1fac55753b34

Download Submit

Analysis

Sharing