neconyd | 23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3

General

Target

23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe
Size

64KB
MD5

ab660ac97e4215c8a25ab856f9ab8c90
SHA1

d410e8a18338ab2a0b2a3d94bc65de959a69eb8a
SHA256

23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3
SHA512

f1b5539a025b20f0ca76c87b768facc5b0a4a23e73ab97f7e125b2594af0557a80bbbbad8612665f652d4743ef7ef68244d57b3ffb047adfab5f7bf513e042d7
SSDEEP

768:7MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAH:7bIvYvZEyFKF6N4yS+AQmZcl/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1964	omsecor.exe
1304	omsecor.exe
2512	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe
2336	23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe
1964	omsecor.exe
1964	omsecor.exe
1304	omsecor.exe
1304	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1964	2336	23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe	29
PID 2336 wrote to memory of 1964	2336	23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe	29
PID 2336 wrote to memory of 1964	2336	23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe	29
PID 2336 wrote to memory of 1964	2336	23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe	29
PID 1964 wrote to memory of 1304	1964	omsecor.exe	32
PID 1964 wrote to memory of 1304	1964	omsecor.exe	32
PID 1964 wrote to memory of 1304	1964	omsecor.exe	32
PID 1964 wrote to memory of 1304	1964	omsecor.exe	32
PID 1304 wrote to memory of 2512	1304	omsecor.exe	33
PID 1304 wrote to memory of 2512	1304	omsecor.exe	33
PID 1304 wrote to memory of 2512	1304	omsecor.exe	33
PID 1304 wrote to memory of 2512	1304	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe
"C:\Users\Admin\AppData\Local\Temp\23ea430d89de77a03cb812438b3a05c2c0883349a20e8c769b91e35774d889a3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
448ed9dead6bc1cd7843e8d4e482a463

SHA1
4297e0543a7478076b2e5936e9856c26b34da848

SHA256
12f66ff8aca1562a7e3ba2bde9231405695fd1e2729356f3b629a3356f2c9f50

SHA512
5a86629e76c8f98bf38ccaddb4dddf3fd6231d7a8a6b30c0617df2e8ecfb5b66cfdfe019f2d092ad1258dcafdff2c176e31835cb7e9c89673ca93817a09aafa8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
b5e229d1709035d2691a5c4d61ffe60a

SHA1
c87a3e236c9cc9e04d58a6c887659f7ca5825b39

SHA256
b79a2df0cb096fdae833b86c236fdfa2e9d45cf42cec54fe1c7fe3a67232e48a

SHA512
06f2bcd0f25031ced5c18787f8f5b10a3cdaaa6580ff6127a6142d9fe5384514cb74418f915eaf289771e076f4fb7672430d9b8309a78c6aa1b2ead4675290e5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
10af60c0b5e61bf369cef47cc64ebd91

SHA1
8a0995784be29c7de66c22148507d0cf02ee5fec

SHA256
cd5c340edfdd3f47ec7e1ce8eb3d15591be8a90760b0b66bf093cb21b5a6913e

SHA512
b6796366832b85d9caac52f190ea9c91fd5f3e8d97399dc13d06e47a6e0b178c5385984877948a40538f2aa41b1a431f959edac179adb2ef81253827876a64a5

Download Submit

Analysis

Sharing