neconyd | a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66c

General

Target

a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe
Size

61KB
MD5

4981f7765f07778d0a525d78ab232a30
SHA1

f5a1a906965985a86aa1efb5db061cd56ebf3444
SHA256

a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66c
SHA512

5e899eab8d4b4bb9f82f36bb17fbf3c85e874f7ef17d7d37d5d4e84cf3efff93d13bbd83f9f9c483256b07283404dc9f2fc73f1eb16ec8b0d1de48c121cc9111
SSDEEP

1536:kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5:cdseIOMEZEyFjEOFqTiQmPl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2208	omsecor.exe
2532	omsecor.exe
2452	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2192	a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe
2192	a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe
2208	omsecor.exe
2208	omsecor.exe
2532	omsecor.exe
2532	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2208	2192	a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe	30
PID 2192 wrote to memory of 2208	2192	a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe	30
PID 2192 wrote to memory of 2208	2192	a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe	30
PID 2192 wrote to memory of 2208	2192	a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe	30
PID 2208 wrote to memory of 2532	2208	omsecor.exe	32
PID 2208 wrote to memory of 2532	2208	omsecor.exe	32
PID 2208 wrote to memory of 2532	2208	omsecor.exe	32
PID 2208 wrote to memory of 2532	2208	omsecor.exe	32
PID 2532 wrote to memory of 2452	2532	omsecor.exe	33
PID 2532 wrote to memory of 2452	2532	omsecor.exe	33
PID 2532 wrote to memory of 2452	2532	omsecor.exe	33
PID 2532 wrote to memory of 2452	2532	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe
"C:\Users\Admin\AppData\Local\Temp\a79d1a2f1f5a707dec9eac603fb91cbe324fc0e205f92acace4a609311cac66cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
ab6bd8607e0efaaadf64164a4483a54b

SHA1
58c5d82afae87825444b88787b0c2539f72b2f86

SHA256
55331a3d2d410da8e0c8273935fd5b4f6a356eacc549542e2fb95393c8a8b104

SHA512
19a1091ca8db61fabb154ee332100a942293bfd402444a11f27c5e849954d76801663359a37bbc384e1f4c26e8bb60e6b408dcd988d42bc5d33a7a809515728d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
dfd80730a4b559c27a3e8bb40dc9c0b8

SHA1
7d4fe803a3df3facd9588a3c6bb398e76b70e2ef

SHA256
be69a41ea79b07c930f3e5c7120b8108f02bd8e453b7c186c5bc3a0c85bc68ab

SHA512
63b89a73d8fccddd71438d902db4c5b95a2a7cdd773f90f6cebc390c936e40ec393b59cd0668d6c6f10f13549df79b053f1da58e05950a8de093975654c98476

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
53d665246c81942430efc9d2bdb17a31

SHA1
a3ceab12fdb3b8f5cfa6b907bf68d67224df98e0

SHA256
2be5ca8a6d599d4189d3e947c5fbd705ee256f310112ddcae1e92d6ca9807d11

SHA512
3ac380a28dfcb6cddddda23fa0983f0aa42b95169fb472ffd6f46985041473867c16a6be4d04949e94f28f6b9ca58cccaadbcbdfb7c050b16d8056e9e6273486

Download Submit

Analysis

Sharing