neconyd | d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9a

General

Target

d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe
Size

80KB
MD5

fb30f745ff7c2626a18b4391a78b8580
SHA1

a00c4a74b8e347e82409da5f39deb610ca61cabf
SHA256

d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9a
SHA512

b74006cfe59fa33bdb9cc7b8e7c484d80d0658503385bf592a83a121f9d81b9416654003f4dcd2a0c4087fb23d58257fbfe74136387ec228f11a5bb57a94faf6
SSDEEP

768:/fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:/fbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1856	omsecor.exe
2612	omsecor.exe
2968	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
572	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe
572	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe
1856	omsecor.exe
1856	omsecor.exe
2612	omsecor.exe
2612	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 1856	572	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe	29
PID 572 wrote to memory of 1856	572	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe	29
PID 572 wrote to memory of 1856	572	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe	29
PID 572 wrote to memory of 1856	572	d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe	29
PID 1856 wrote to memory of 2612	1856	omsecor.exe	31
PID 1856 wrote to memory of 2612	1856	omsecor.exe	31
PID 1856 wrote to memory of 2612	1856	omsecor.exe	31
PID 1856 wrote to memory of 2612	1856	omsecor.exe	31
PID 2612 wrote to memory of 2968	2612	omsecor.exe	32
PID 2612 wrote to memory of 2968	2612	omsecor.exe	32
PID 2612 wrote to memory of 2968	2612	omsecor.exe	32
PID 2612 wrote to memory of 2968	2612	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe
"C:\Users\Admin\AppData\Local\Temp\d0fbe1c9295de98143136948803912ab557427327935cac55138f9326fc80c9aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
4a3d6923b29e6dd5ab1348676334a0c5

SHA1
a52abee502c18e703d3d3c3a9c6b18779a216e41

SHA256
cebffc79063ed4878f2339ec5ed54ab0320d30efc13c277fef1eec2eaaea31d7

SHA512
3c86b9522ca407c0e223285f38a669f4673e65f4eb567757d9f1539b4b0d91c6a37865032260d4df2d7ef759ca3aed3eeeef35ca9df1a479a1e5ed4befb98289

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
47854a90230369baef10bff4b589115e

SHA1
873d67c1b7486a5738b9c4f6130c2c042ffb182e

SHA256
e21ab2360490f5a7c4a7c5632dbb295d69a3dc7a3322ba6e8706b8021f8609a5

SHA512
a9e39fd3d497cef718137eb5691e918a41557fa522c1ef0dfc6e0565c897d7b9117dffeec9d0e4886199322c5b2dd4d61e7eca9d91f3378699457ff60274c1a7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
8035e143e3c94555e869b78f3a439ca2

SHA1
56df1247209c47ddc690ee6612dc3905bde33537

SHA256
c19b70d7a1b4defc46e8e53cde0e0df3215af948bafef8e050e882e5949a76f0

SHA512
3e2f81faaf87b5726f03de31a3b3d238d942c4053d0a363ca7b7d4cabcb51d69508eba265a89ab34ff395f7e8fe550a593aee3c4456b7f2b6776787395a87fb2

Download Submit

Analysis

Sharing