neconyd | 5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47

General

Target

5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
Size

80KB
MD5

f97587f7b361193b7db0db38ad4fb970
SHA1

584034a137030cfcee780ef8835c5d7de588e081
SHA256

5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47
SHA512

157bd41c8dd5160f3270a02de352136f15368e632cd08573753dc0a81d3eb2179696e8f5daef7cff15735e0ad7a325ba567a9e4f6ff54befe3ebfc9d8457ccf9
SSDEEP

1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:MdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2028	omsecor.exe
3000	omsecor.exe
2108	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1176	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
1176	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
2028	omsecor.exe
2028	omsecor.exe
3000	omsecor.exe
3000	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2028	1176	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe	29
PID 1176 wrote to memory of 2028	1176	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe	29
PID 1176 wrote to memory of 2028	1176	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe	29
PID 1176 wrote to memory of 2028	1176	5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe	29
PID 2028 wrote to memory of 3000	2028	omsecor.exe	31
PID 2028 wrote to memory of 3000	2028	omsecor.exe	31
PID 2028 wrote to memory of 3000	2028	omsecor.exe	31
PID 2028 wrote to memory of 3000	2028	omsecor.exe	31
PID 3000 wrote to memory of 2108	3000	omsecor.exe	32
PID 3000 wrote to memory of 2108	3000	omsecor.exe	32
PID 3000 wrote to memory of 2108	3000	omsecor.exe	32
PID 3000 wrote to memory of 2108	3000	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
"C:\Users\Admin\AppData\Local\Temp\5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
77747f222cd5cf4ebe7b1fb987aa71cb

SHA1
280957e938ce3b4cad37ed83178a19723d7f4d8a

SHA256
489db48d37861cd49820a03e80195a23c6fbfacc3ab3f78787cfe1b8dd3d4445

SHA512
69480b79172d30fea7bc7f51ab174717b912285d41d09a6bb82ad70bd1f7d7797dc90c1b9771e85212071bbdf5fb535d9fa917954eaa2ec23ac9ab4c7d3b1c2c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ece9228ff3e9eadc96fe4e551cf046bf

SHA1
6d3ee3713033e741751cf9f16aeef52e1b5009bd

SHA256
19763069fba3793eb8029b380d0e6dc6a86825f719c5ffa8beb69f03beabc3bf

SHA512
b6d5d9a6b4f147380e882a94a8ccd659c198012bf90710eedc3440a21121defe9fd7b0af6a174b8e3de2f0b890ed0725a21bf3881f40de024362cc3ae3ce4cc3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
878238c9c7205b3d51cc3125eff1f89f

SHA1
c34396ccefc2dfc67b5fa13faf2cc90a18ae8556

SHA256
9b87b7b5dcdc8425ec5cf0ead4d6b91b3c317341a8909be6e196b3a6598a4bcd

SHA512
19aaa5001c85e13ea0d7037b4015d8eb23f325db04062702a6f99fca8e995be8bc35beba63fc25e4be10227857f57fd50a3b0f7112090a70a900060dc228cc10

Download Submit

Analysis

Sharing