neconyd | b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483

General

Target

b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe
Size

80KB
MD5

ea52200dbd683bc5981df0295e11fa90
SHA1

61dfbd5f353534c5c7ad3b2824c1a12ce9098f9e
SHA256

b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483
SHA512

255555ae32d54ea6da40d6b53733984e7b1af65d1b20ce7dfd05746fbaa459ba57da43257f481e9c8727e3fc4094b4c641614a396e87a568ceb2d8ba7bebc4ef
SSDEEP

768:ifMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAO:ifbIvYvZEyFKF6N4yS+AQmZTl/5m

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1304	omsecor.exe
1104	omsecor.exe
1992	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2128	b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe
2128	b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe
1304	omsecor.exe
1304	omsecor.exe
1104	omsecor.exe
1104	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1304	2128	b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe	30
PID 2128 wrote to memory of 1304	2128	b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe	30
PID 2128 wrote to memory of 1304	2128	b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe	30
PID 2128 wrote to memory of 1304	2128	b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe	30
PID 1304 wrote to memory of 1104	1304	omsecor.exe	33
PID 1304 wrote to memory of 1104	1304	omsecor.exe	33
PID 1304 wrote to memory of 1104	1304	omsecor.exe	33
PID 1304 wrote to memory of 1104	1304	omsecor.exe	33
PID 1104 wrote to memory of 1992	1104	omsecor.exe	34
PID 1104 wrote to memory of 1992	1104	omsecor.exe	34
PID 1104 wrote to memory of 1992	1104	omsecor.exe	34
PID 1104 wrote to memory of 1992	1104	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe
"C:\Users\Admin\AppData\Local\Temp\b067f350fcff00b18ccc9f6779e8ec49c2db062ac8cab36666f527fe2f3c8483N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
99920d798b3f640af318d2f6134735b4

SHA1
51fab2f5b2660d3f116b49c05929556b297a1b00

SHA256
6a22b6b28b20a7c2175442f3399328e29dd7d2365ceac30d602b3c3b13a1ef8e

SHA512
6c9595c351ced2ea9d5066ac8f92afc14dac77b1d2b9ac2d229bbcea306621480511ee192d771be8ba797299823f000e1f664d58611e835735d309446be23527

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
8ae66bbb0f5646f5f8eb4215b82628d5

SHA1
488b50ed9e2d6f6586d23e57dc5f4b7036c397fb

SHA256
d1deed797cecc89d6febbf00f34b6cfa52b1dfb277f3b206b1e2b99aaf72bb4a

SHA512
ca0f6ba279fd7f9ea817f541a932ca3a125a09339bdd8ab5e4d38c1487d81493a2e6bfffd51647af14be10995424b18d16655a453096681afab075cfa7f351bf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
a86c97bd4716b6c446adaa8c288dc0d9

SHA1
5d24bc98deaa3ae94ac18f1258bbe694b23b4292

SHA256
d8ab7cf7b00ac89cc77b2418d3e11d704b59628bfccb2b73368bd2ecdeb5141c

SHA512
cf4b68e27dbeb489d1e1852082780f1c94e21e4ed5967e9188a8dd22b4586f07257c5e2d4b79468fb2e8cb99a730e3720ffa5f3e0cbbeab43281d1bec07d5224

Download Submit

Analysis

Sharing