neconyd | 1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7

General

Target

1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
Size

61KB
MD5

09534757f4b64fd024a45cc653752a8e
SHA1

56d4789246d617c29d058c8a2cff3ddc32e7394c
SHA256

1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7
SHA512

7deee7ad0d96210149ee8fcdaeacc10403dcd735518bddc58bb5499eea4e47f2514d3ce1b07b61a65fb0cb8165760318bd1494c729434e6a5267ac67652892be
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZjl/5C:kdseIOMEZEyFjEOFqTiQmxl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2992	omsecor.exe
2164	omsecor.exe
1168	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2392	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
2392	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
2992	omsecor.exe
2992	omsecor.exe
2164	omsecor.exe
2164	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2992	2392	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe	31
PID 2392 wrote to memory of 2992	2392	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe	31
PID 2392 wrote to memory of 2992	2392	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe	31
PID 2392 wrote to memory of 2992	2392	1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe	31
PID 2992 wrote to memory of 2164	2992	omsecor.exe	34
PID 2992 wrote to memory of 2164	2992	omsecor.exe	34
PID 2992 wrote to memory of 2164	2992	omsecor.exe	34
PID 2992 wrote to memory of 2164	2992	omsecor.exe	34
PID 2164 wrote to memory of 1168	2164	omsecor.exe	35
PID 2164 wrote to memory of 1168	2164	omsecor.exe	35
PID 2164 wrote to memory of 1168	2164	omsecor.exe	35
PID 2164 wrote to memory of 1168	2164	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
"C:\Users\Admin\AppData\Local\Temp\1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
26db7c016a583f578811e13cedcfdcbf

SHA1
aa7bb664a2e55869765012aa3ec2b7256ec1c850

SHA256
838f89384c7a5227e11a466791d2f391aec92c40aa26792f6cd28e8609c61551

SHA512
500921f79da5706064559cd9fd1cfd9f0903df328d53e4e54def91608b54d82c71478765937d6d7a1b9e2516adb063423493b7dbfdf7a7fc6b46767cf0485a8f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
5d291497b4c2883431077eacb0ef030e

SHA1
7da23993de20c90e7b311c988c0ea32663292988

SHA256
fa6f1ea4779d7e13a1ce36b59738f6b5fb1b1fe4d23e9861f2f99829aac2c413

SHA512
bcc6de40c789ed73d98bcae4556bdb9f3bfd5ed5fb00d82b1d11c7e23abffe0177f6e39eb131652f2325b9c2860d0d401e8de6bcbbc9f1df9e81bf5172bc1657

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
e0fc44b69f3da665c5052d233d0b8276

SHA1
36d6ad77ea8df8cc495e1e2426b7ea481088623c

SHA256
94aa2955123be522a813ba1c1e1119973ac42d90368d84b22c94b4e97cd7bc7e

SHA512
9ca65629b55b6bc8cfa871e7c6c3210c0650ff6eb371fc0a94a2a569f0513703003925421cbd77501b277e661c089f78567121aa0281efb55f49cd301f67cfb5

Download Submit

Analysis

Sharing