neconyd | d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040

General

Target

d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe
Size

80KB
MD5

029bc3e7f7e9b083d164a4494d19c050
SHA1

a75096592ea0844bcd11ab19df8450fe25388421
SHA256

d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040
SHA512

f1c300492c6a4438aea6773b27edff43fd14b4f33168d43bc11748544f591d42a8a184611095eb5eab93194896b14e608860656d0d8cc4633c04167628b557b4
SSDEEP

768:ifMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:ifbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2368	omsecor.exe
2868	omsecor.exe
668	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe
1740	d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe
2368	omsecor.exe
2368	omsecor.exe
2868	omsecor.exe
2868	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2368	1740	d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe	30
PID 1740 wrote to memory of 2368	1740	d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe	30
PID 1740 wrote to memory of 2368	1740	d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe	30
PID 1740 wrote to memory of 2368	1740	d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe	30
PID 2368 wrote to memory of 2868	2368	omsecor.exe	33
PID 2368 wrote to memory of 2868	2368	omsecor.exe	33
PID 2368 wrote to memory of 2868	2368	omsecor.exe	33
PID 2368 wrote to memory of 2868	2368	omsecor.exe	33
PID 2868 wrote to memory of 668	2868	omsecor.exe	34
PID 2868 wrote to memory of 668	2868	omsecor.exe	34
PID 2868 wrote to memory of 668	2868	omsecor.exe	34
PID 2868 wrote to memory of 668	2868	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe
"C:\Users\Admin\AppData\Local\Temp\d3946541fdb7c659f6452413b85e271bc5e3e7aee6e6ce6bf839bb2da97ff040.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
0ebbc53eec2b017a92172f9fadc5cd82

SHA1
b4d175effc84630052876d79ce67bfc99ed3be09

SHA256
b224b7a83743e1092d300a087eb194268866669ac2cefa32cacbf31c7184b78e

SHA512
117fe01777de66585fb2b19f380c3913f4c79755641798facc96176c2eeea7d1ac60618dcb1f0f790be9918000b5f4a9c8bed1927897f7477ded1b70b8c4496b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
74e6bcf041e01ec5aed4dfd37057f167

SHA1
49a8cde3321a73a90ff1238e7da473a38939f204

SHA256
cabe734e4f2d9078d8502d2b4972577a4a4aa7dd992f26ca7a42e97ea5bc6e5e

SHA512
d2f52c1fce19cfccd2e20b7a546124bb5b54be888165db6311d1b8bbcedd2e565e691a6e502f0acd10acd2ae545cf5f0453776fe7277e693559de1dfa2523f52

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
35b795c96e53a8c110885b0f10446140

SHA1
96df8e639d54d3055f5be41bc4f9b44612258d5f

SHA256
8fb4f3801ce0dfb07e0cead60791f999921b8360a75ac6bee4c0538f93c5473c

SHA512
d9aaf49230357670933cc87e8690b031438ec3d18bf03d49606823829fb3bd35a1511d52ba70a4c40d8a21e99ba3bf200318db982f3d916d8d2574e5bd895fc6

Download Submit

Analysis

Sharing