neconyd | 94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209

General

Target

94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe
Size

80KB
MD5

894262470ec2d9f77994e9f2bb2c4aa9
SHA1

b8f803e1f56c5c15132414a12cc563459e178013
SHA256

94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209
SHA512

38eb54f81db4b0c9c84c3f1521ed976306de1ae0815a414fe3a8443aeb51867f52aaa84789fd074a3bb76c50d6163d057d98cd6b1e0a277171e84a55f9f68e98
SSDEEP

768:qfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:qfbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1428	omsecor.exe
2448	omsecor.exe
3016	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
572	94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe
572	94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe
1428	omsecor.exe
1428	omsecor.exe
2448	omsecor.exe
2448	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 1428	572	94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe	29
PID 572 wrote to memory of 1428	572	94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe	29
PID 572 wrote to memory of 1428	572	94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe	29
PID 572 wrote to memory of 1428	572	94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe	29
PID 1428 wrote to memory of 2448	1428	omsecor.exe	31
PID 1428 wrote to memory of 2448	1428	omsecor.exe	31
PID 1428 wrote to memory of 2448	1428	omsecor.exe	31
PID 1428 wrote to memory of 2448	1428	omsecor.exe	31
PID 2448 wrote to memory of 3016	2448	omsecor.exe	32
PID 2448 wrote to memory of 3016	2448	omsecor.exe	32
PID 2448 wrote to memory of 3016	2448	omsecor.exe	32
PID 2448 wrote to memory of 3016	2448	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe
"C:\Users\Admin\AppData\Local\Temp\94035503f1f7c74d5b472826d91427fbe8070d789a82a749b4e10d8953675209.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
ffb0f4b86444738207430d8528ef562c

SHA1
777c56ca752a12f579aebd23af7167e2a6041a6c

SHA256
51e43304828f368a1f432af4b5768229a968663bfa87f3550962f3a3aa838d31

SHA512
d275c619a0b3bfef517e287837c0bd49975adf9c969a133f131e963d99601ff18b31c88ead061f6492a7371fff56054cae82748e60bf8d1965a267c9ade168cc

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2588aa549ec9376c08ad8bfa60751ada

SHA1
faf51ca3d8152dff6eeda38c50b1b8dcb54d0940

SHA256
e43b856bb073d6471caf1f020f55e53c626a24e21284d1f080e32e32298b1fed

SHA512
8acb573c30b86af1dcc7475eac8d66303cfc70413492f81bb2c9893e0afce23602f8ecda767680749ca5322aa2dced37ef1aff5896151736cc7cec0eeea13ba9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
eb4b7c740b46d0d804ac29833f05d463

SHA1
9bf996ee7896b2dcd0d9415f3192fe6818e3564d

SHA256
4f1920bff6f0207a15082c50ff7d525a2279937bd6e595afe9d2aef7685dc423

SHA512
0f1e15bc9641ba5b8e14ff509939eca0dd00a669ed477c9c4da582d16f71fdf940c7b9189e2927dda81f7f492e1211e9a7e5248a9c1e372c10c91e368b4bd113

Download Submit

Analysis

Sharing