neconyd | 56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839

General

Target

56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe
Size

80KB
MD5

f117cbaebbc596c732f6e0743afd16e0
SHA1

d1d49de010abce8baea8674b75433b4c9ce7ce0c
SHA256

56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839
SHA512

34ce1ec3eaafc35c3e47fa0094e109b28eaf0bba953be597d3c56334eab9b44a19a57011b01e95358a1c6d9c0089e1244d570d99003421a1da1efaf722a9dffb
SSDEEP

1536:ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:NdseIOMEZEyFjEOFqTiQmOl/5xPvw/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2540	omsecor.exe
2264	omsecor.exe
1408	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2744	56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe
2744	56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe
2540	omsecor.exe
2540	omsecor.exe
2264	omsecor.exe
2264	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2540	2744	56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe	30
PID 2744 wrote to memory of 2540	2744	56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe	30
PID 2744 wrote to memory of 2540	2744	56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe	30
PID 2744 wrote to memory of 2540	2744	56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe	30
PID 2540 wrote to memory of 2264	2540	omsecor.exe	32
PID 2540 wrote to memory of 2264	2540	omsecor.exe	32
PID 2540 wrote to memory of 2264	2540	omsecor.exe	32
PID 2540 wrote to memory of 2264	2540	omsecor.exe	32
PID 2264 wrote to memory of 1408	2264	omsecor.exe	33
PID 2264 wrote to memory of 1408	2264	omsecor.exe	33
PID 2264 wrote to memory of 1408	2264	omsecor.exe	33
PID 2264 wrote to memory of 1408	2264	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe
"C:\Users\Admin\AppData\Local\Temp\56b1685cbdbe8f75d59c878fbc64e0f874d74859be57e73eb0af7018dbe36839N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
3367fda87e5183a7cc953d0fe68d0454

SHA1
d9e89fb26104326887899b66fd6fef34b2479bcc

SHA256
f0f7981fe0b197280fa17404b02ea9517f5c8e762b8d038c70919c1d7af88b93

SHA512
e06379e1c36d4c088a9f89970fed59134ab324fe150ad3169e04025e51d207961bab7f4ca7669824217d3754f955e56ed1dd39771a80e64de271164acaee9e2e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
cd2339ef927cacd592ef5c574853a500

SHA1
7545bfda7b70e9d27d56cc4a533a5e0e7adcdf82

SHA256
7953809493e2bf5e055d1e5f55ccbd92ec9483e0c9317ea8dd12a7d238285026

SHA512
08f5a2d9917bf4af7402a59326095a498b8b125b74a2fa072488694fc58ccd6f0b3e3b101d061106e62c4db0082ca280487a49cd134999134ac80cbb380045f5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
0bbd3ecf574bb4e923c93ffe77cb4279

SHA1
21f4744ab43a75fd257d168e308885b7f59bed17

SHA256
6a2d53d4cbee7868031a46b59be2ee63745f7b3dc20990d6cbe353d6870d9b8a

SHA512
e456c4a3c1b034a9e4e1d8d4de8f2b26257db579bd2321382be638fc2eba5f49e5ab905e8953474f694d625eaa0a5c6e43cc710210e6fabeb5b5bbc523791b31

Download Submit

Analysis

Sharing