neconyd | f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a

General

Target

f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
Size

80KB
MD5

ad4435bb25f4a761455cf19cbf6b59cb
SHA1

249e6d126522149a5b5d6c2fa1c788fed38943e0
SHA256

f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a
SHA512

d9f9229dcbf3bc5149028280a0c764538225bb9e83a3f52402def65293b2d2802b6eb8b859fe2487113b03662d323455a52f74bff50040ff59c382ccaa5dff0b
SSDEEP

1536:wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzp:wdseIOMEZEyFjEOFqTiQmOl/5xPvw1

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2160	omsecor.exe
2076	omsecor.exe
892	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2684	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
2684	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
2160	omsecor.exe
2160	omsecor.exe
2076	omsecor.exe
2076	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2160	2684	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe	30
PID 2684 wrote to memory of 2160	2684	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe	30
PID 2684 wrote to memory of 2160	2684	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe	30
PID 2684 wrote to memory of 2160	2684	f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe	30
PID 2160 wrote to memory of 2076	2160	omsecor.exe	33
PID 2160 wrote to memory of 2076	2160	omsecor.exe	33
PID 2160 wrote to memory of 2076	2160	omsecor.exe	33
PID 2160 wrote to memory of 2076	2160	omsecor.exe	33
PID 2076 wrote to memory of 892	2076	omsecor.exe	34
PID 2076 wrote to memory of 892	2076	omsecor.exe	34
PID 2076 wrote to memory of 892	2076	omsecor.exe	34
PID 2076 wrote to memory of 892	2076	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
"C:\Users\Admin\AppData\Local\Temp\f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
35e41059f24b43b24796a6bbee1700c8

SHA1
ca179cb5f7eacc1352be79b5f85abdba1651052f

SHA256
09931456a13261ba5211a89c8c418dc2a705037219d5e7dbbf9f476fe96ef9f2

SHA512
92159a744ea8f97dce8a221a6ed489d0896c4aa5cf4a282a4f492de7c935ad2d192efc0de3c959468f08da937559716d7509c95736b733c1926a2401baffed88

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
7f69f50981280c2cc8f86c1c46fa2dd5

SHA1
2d1683f46fe73fff767d2262ac26e13af2192e04

SHA256
ff9a7f29515acaf878aa7b0c8c8e603bc18598a1a243d96f5ce61e4d01a1c5c1

SHA512
eb7720bf403cf97a5ff52d8574aa53b61a87d99039ee8271599b7165f5e5dd4c238df26783c9974bf7f989e863ac85825d72c8bc25581d7c0929bd8bd520ff1d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
152cea453f45daa47e673bd9f3ac2bb7

SHA1
b04a9be012de63ebc9b885c2d48f107cb547b48e

SHA256
82f8dae436cc816d4f32968a40509c5a4fec313530899607ec8063520bfb2ee3

SHA512
0086663b1b177d1b79b4561fcc8ca5f2b07bea994df15e752a7b93f7d7a6ef24550b54682b9f5ed065ca45c3e6ced299b59b023cee67b4f4f66dc5ca6b867ebc

Download Submit

Analysis

Sharing