neconyd | 1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08

General

Target

1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe
Size

80KB
MD5

b0ef11bf09c019fa8d2e5122ee68d450
SHA1

5c8ed771b867951c04292faa15a7a9921ee5d739
SHA256

1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08
SHA512

0dbd02f777e92b95421e08dca4129094900877b1894b2d732b76de8b64ca600e77854247da755b6c1743b63a2d025b671a932ae8553c73215bfddea98b6415bc
SSDEEP

768:XfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:XfbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2600	omsecor.exe
2944	omsecor.exe
1300	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2980	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe
2980	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe
2600	omsecor.exe
2600	omsecor.exe
2944	omsecor.exe
2944	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2600	2980	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe	30
PID 2980 wrote to memory of 2600	2980	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe	30
PID 2980 wrote to memory of 2600	2980	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe	30
PID 2980 wrote to memory of 2600	2980	1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe	30
PID 2600 wrote to memory of 2944	2600	omsecor.exe	32
PID 2600 wrote to memory of 2944	2600	omsecor.exe	32
PID 2600 wrote to memory of 2944	2600	omsecor.exe	32
PID 2600 wrote to memory of 2944	2600	omsecor.exe	32
PID 2944 wrote to memory of 1300	2944	omsecor.exe	33
PID 2944 wrote to memory of 1300	2944	omsecor.exe	33
PID 2944 wrote to memory of 1300	2944	omsecor.exe	33
PID 2944 wrote to memory of 1300	2944	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe
"C:\Users\Admin\AppData\Local\Temp\1d6e570f8dcf2a02d1d1585fed62e5d44402633d6054fed95f1097db3542ff08.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
96f11a22b41ac0587a2f63281678c76a

SHA1
b2c4eda51a6dc1020a0633d1a63b531139a4d501

SHA256
b407803f3eb01f017d7112d171d5ad5393221f3716d7f8dc0ef33f47aa299ff7

SHA512
df92a7e3ac34c1f6cdda7ae1959f5946272f4a8d202fbfc904690b2d11bc95539521a4628827a56480d226d5166408a50c8cda4644e8292524c347140a54aa6c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ac8789c532be9e6a292fb57ed7caaf94

SHA1
fa74e5c1f22ee507da3a0e908fe19beec9f28fab

SHA256
8107a438fb9056ac1aed711a09574ccc6e22316b87e66a3d1684eba524d3e5ef

SHA512
04323eba18c5ab81f25ee5d43da74e0b220f4318deb2baf4cc7865aa32dd4bdd935bb599adf616c54d79b94edf1740ab5d1a11e4efceb4fc4728ef5ef6bcf8fd

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
4c9084022734830390de2fcaf55d7217

SHA1
3d4f5adb229825a8b6a507e3aac7ffae979ada7d

SHA256
66949f365920131bbf85e64d4067934a6e6cd6a3b490f8bad04e303726219839

SHA512
cb2d86ecc03388bdb1409d724c4290ce9a4a7a9bb7f372874b90f312b05003bb686fd9a733771212b1f825e26662e853b19e9999ec74fdfe90e835be2487c88b

Download Submit

Analysis

Sharing