neconyd | 5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca

General

Target

5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe
Size

80KB
MD5

1be45c634fbcc66ae879f6df6189eaf1
SHA1

81f88506aebebb2758352317c4b0c66f836051cd
SHA256

5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca
SHA512

d8e78a3cc4b01e8cc95034edfe93680d8a6a3b10356627374e1ad8631e09a28c7587ece71a9917e90ddb1a054d4daac2d670e1c08b1e67eb80000fb5e344a36a
SSDEEP

1536:Bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:xdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2864	omsecor.exe
2996	omsecor.exe
2960	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2776	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe
2776	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe
2864	omsecor.exe
2864	omsecor.exe
2996	omsecor.exe
2996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2864	2776	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe	30
PID 2776 wrote to memory of 2864	2776	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe	30
PID 2776 wrote to memory of 2864	2776	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe	30
PID 2776 wrote to memory of 2864	2776	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe	30
PID 2864 wrote to memory of 2996	2864	omsecor.exe	33
PID 2864 wrote to memory of 2996	2864	omsecor.exe	33
PID 2864 wrote to memory of 2996	2864	omsecor.exe	33
PID 2864 wrote to memory of 2996	2864	omsecor.exe	33
PID 2996 wrote to memory of 2960	2996	omsecor.exe	34
PID 2996 wrote to memory of 2960	2996	omsecor.exe	34
PID 2996 wrote to memory of 2960	2996	omsecor.exe	34
PID 2996 wrote to memory of 2960	2996	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe
"C:\Users\Admin\AppData\Local\Temp\5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f62aebc9707542d10e59fa0b674b7605

SHA1
6b4b3e81f915cc6c5539cc0a9310f84feb5b4b5c

SHA256
4369ae6ea54d7a46c9762d205d4696c0634f5f1351e552e995bbefe2e16fe8d1

SHA512
18e439ea5c5b91e9aab9a5e99c80567558214542892994a007c4d075b2326d979cb651fdb96eb80d0db10ef87ff2468a7546bf1f852a9807118612ec4008a213

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
afc3dfb028f753eff204ed68c0e43ef0

SHA1
4056eb3a269fba7ecf708c77ebcb8e617fc7183f

SHA256
f40ecbe8075a11d2b95196d5c42ee00a35107893a19cc0ce559a67b6b0a193da

SHA512
b96d0516e54a548e9459208f35ae7ee702e3bf6a0230f14aac19cd699d0a24d377c59de313234683bda8e7e9a2da06316d64bb4dd8f62e73380b52a13a09448f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
3a1ea98732605c3392ea6ec664908d4d

SHA1
dedeedf49ab433db4afbdc619d17627cb53fe6fd

SHA256
9afcb9467d42516349a77b82a562ce79e9eb0b9889295275a2843b685125932d

SHA512
9a6ef011bfa9e733b2fc36f31cf20fc3e7de6e3df0d58fc925f5dd13b2b03716db721910e0db1baa3b18920b46f7b61ec746e7ef47e364bf7eca68e1894d8271

Download Submit

Analysis

Sharing