neconyd | fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4

General

Target

fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe
Size

61KB
MD5

aef12e5b9612fb334ce7510c220fdd29
SHA1

8e0ca52f347b5c1096b2f66e643ddde271975618
SHA256

fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4
SHA512

5884d4e2c9e4f6047d8606cd38ba75dd61a7098612e24830bd4872422853093a6215f053dbc7e19801ef86abf18ec31becaefaa5d52937978d7285d180958a6e
SSDEEP

1536:bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ1l/5t:rdseIOMEZEyFjEOFqTiQmXl/5t

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2772	omsecor.exe
2384	omsecor.exe
1652	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2692	fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe
2692	fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe
2772	omsecor.exe
2772	omsecor.exe
2384	omsecor.exe
2384	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2772	2692	fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe	30
PID 2692 wrote to memory of 2772	2692	fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe	30
PID 2692 wrote to memory of 2772	2692	fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe	30
PID 2692 wrote to memory of 2772	2692	fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe	30
PID 2772 wrote to memory of 2384	2772	omsecor.exe	32
PID 2772 wrote to memory of 2384	2772	omsecor.exe	32
PID 2772 wrote to memory of 2384	2772	omsecor.exe	32
PID 2772 wrote to memory of 2384	2772	omsecor.exe	32
PID 2384 wrote to memory of 1652	2384	omsecor.exe	33
PID 2384 wrote to memory of 1652	2384	omsecor.exe	33
PID 2384 wrote to memory of 1652	2384	omsecor.exe	33
PID 2384 wrote to memory of 1652	2384	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe
"C:\Users\Admin\AppData\Local\Temp\fad56a85fec904b987209ea41c906099189f48e0bfdd40b99423ae3d867b13d4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6070ec7d343a66283294dd04a601efd2

SHA1
14d8e7aace75381d3477062d9603eace43a5196f

SHA256
5683ab6f4023419846f718e87735e4b730b65767e1ce7ab9dcd5b635e947dd82

SHA512
119c41c6524ce2536b6db28c69a7684aaf1d8afd67d5e56ee07da2987354892504b22308cd11aea7a9482c9e0bc7ee7d62fd28e99337a2508ff472c95a64613a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
5534dd0d55e96a87e884cc465d16878b

SHA1
5b0d090b59363ba96207416e56e4c93e3b49b129

SHA256
d4a98bcdd7f5e1be561940f74dd3c5c8b0aebc7c3a0ec644f239e85425e7ad92

SHA512
809a0c14366782f6c9ab2d61df6a3632870db9ee8f4fc38074087ac508617b8f5da4d8587d144d0bbf9619d436bc1f6a3b9b152897ff904bdc8c2052b02f57a6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
92a704672dc6597fa28f6e254ced8f27

SHA1
cab9c8d02db64cea33ba80373b5623ce233ef895

SHA256
3ca8db47bb87e3334b03c79c2d49b293a5a47bee36cfb0689cc7e1697799f93c

SHA512
3b7ac123bfcc61e1863b16133cccc3ff493b9cd9c9f82d0546205a673926b64e6f9f31a7fba601efb8375672a5f032a890e30d8496c9c13a8ebaaf6e9f6d4b1b

Download Submit

Analysis

Sharing