neconyd | 05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688

General

Target

05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe
Size

76KB
MD5

af73dc59f5c9746496cff37edba69c50
SHA1

6c90b661ad79930d25d153ed308223b31dfa6fb9
SHA256

05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688
SHA512

1ad188fd0165128c3eef7d694fce0b7654674169e8dba9f38103dc8114f0a422e475960179410145d3656cb70103a815c07a3c6e23c313689034f1b8246747de
SSDEEP

768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWZ:VbIvYvZEyFKF6N4yS+AQmZTl/5OZ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2160	omsecor.exe
2972	omsecor.exe
2760	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2860	05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe
2860	05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe
2160	omsecor.exe
2160	omsecor.exe
2972	omsecor.exe
2972	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2160	2860	05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe	31
PID 2860 wrote to memory of 2160	2860	05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe	31
PID 2860 wrote to memory of 2160	2860	05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe	31
PID 2860 wrote to memory of 2160	2860	05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe	31
PID 2160 wrote to memory of 2972	2160	omsecor.exe	33
PID 2160 wrote to memory of 2972	2160	omsecor.exe	33
PID 2160 wrote to memory of 2972	2160	omsecor.exe	33
PID 2160 wrote to memory of 2972	2160	omsecor.exe	33
PID 2972 wrote to memory of 2760	2972	omsecor.exe	34
PID 2972 wrote to memory of 2760	2972	omsecor.exe	34
PID 2972 wrote to memory of 2760	2972	omsecor.exe	34
PID 2972 wrote to memory of 2760	2972	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe
"C:\Users\Admin\AppData\Local\Temp\05e4eeb2e8b90ccc60db4edbd046fefdfd562626b2d8fd9d5d2fb4c7fc32a688N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
17e50bd49da12f4551d690c4183dd783

SHA1
dc4792f43ac792bb27d0bc370897af706fcb3224

SHA256
4a8f219f382e614343615d97a8f732dd6422c25efbab52ce4fdc246d6d2e0046

SHA512
1169424aa6f01eb0c5d8afcc54106a76d84d75421798127aff2cb91363e97599e2167f8ad4f49e4509d85b6937c46182a4cfc8e91b971e7212a72f94e5447b67

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
56bd7d44e2046c42069c7700a19d1e49

SHA1
2f18be4ffd918125d0b6d4963b99134971db06a1

SHA256
632ae4ba7960c1226772d3e40370ae46e0a0d242640c3cf88c6c049d6b0a5bbe

SHA512
b782dcaebb3a8de0a841ef8df406b54f60eb4acc0f25d816d44825be5ff52ce97e466468e0815e4383de899d122667d4028fd67a33d66a6f8e989781284e5193

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
8767c53fe0dbd9d15bb2c9dfd0e5ecc1

SHA1
33e34b1756f9df486f18dd2384248c2aad26ba73

SHA256
7aafcdcfe095c61a3cf5a906312cc974bb8a4d0081494da8e92c0a5b3f936499

SHA512
061207dcfb272cd0c531a22e9ad9873353f180dac14174ad213de5420f37476e903fd837f520e717db06a7b84122b577484cd5246eb9e94b6ccbdbffddb4147d

Download Submit

Analysis

Sharing