neconyd | a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b

General

Target

a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe
Size

64KB
MD5

5ffc544c383323e6b8417076eab27ef8
SHA1

2c3476521e6833ec97f792a504768f4b2c47fea0
SHA256

a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b
SHA512

85695a434eebfe2a8f9461ed00dc80e3a57cb1e81263e8770b658d15ff1b486436331c8f7cfb1111f6cc68d55f2bf58857b68737457e9bf5a1663618edeed852
SSDEEP

768:7MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA1:7bIvYvZEyFKF6N4yS+AQmZcl/59

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2128	omsecor.exe
3020	omsecor.exe
588	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2328	a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe
2328	a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe
2128	omsecor.exe
2128	omsecor.exe
3020	omsecor.exe
3020	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2128	2328	a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe	30
PID 2328 wrote to memory of 2128	2328	a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe	30
PID 2328 wrote to memory of 2128	2328	a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe	30
PID 2328 wrote to memory of 2128	2328	a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe	30
PID 2128 wrote to memory of 3020	2128	omsecor.exe	33
PID 2128 wrote to memory of 3020	2128	omsecor.exe	33
PID 2128 wrote to memory of 3020	2128	omsecor.exe	33
PID 2128 wrote to memory of 3020	2128	omsecor.exe	33
PID 3020 wrote to memory of 588	3020	omsecor.exe	34
PID 3020 wrote to memory of 588	3020	omsecor.exe	34
PID 3020 wrote to memory of 588	3020	omsecor.exe	34
PID 3020 wrote to memory of 588	3020	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe
"C:\Users\Admin\AppData\Local\Temp\a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
5eb2f3c5219067f8b352d5fae6f04c90

SHA1
1f2a35f326c59779b727a8399079ec2689e8a23d

SHA256
7a27ff7bfceedef097073b3d23c8240e91b1db4c5471d5e4a8337208e495fb9a

SHA512
9a54e248acd9a955f594c95c2bead6769b0eec801ad6a7c28e97367a275515f03bc66cb29bc275181111c23e15f0c8c573d55afd2e1b6fcb076609e4b65ff9e9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
947975a9ed73742cdb0f7773d586348b

SHA1
48c6255810cdcaf8e20de57f573ccccf22f5cebf

SHA256
2912e01891355ed26c59646b1d5d2136a0a9bf7ba07ca96843e25168a784643f

SHA512
fd57ceb0764bfbe9e64154179e17ce612b7f14b15cc6120881b87cfa7714175be4049bff366731b9b406590d8c9bfc8294aa6fd92fda2a593fca5857e2b33d7c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
6c7a3c8658e958bc40cc5593b828de90

SHA1
19abefbde65d62829cd88ade4d450358c85cf24b

SHA256
830cc43bae390cb4889675519ec1da2e0b05a526deff060f31fbad5a0d5444f5

SHA512
69cb2eeafee726932d785ec1fef6494d339a9d3596c6ed7d263c808cfa4427bdf9785ada4ac2eaa4116810a7bd63acfdf335fccde75cad842d89f0ee3d6e16f1

Download Submit

Analysis

Sharing