neconyd | 073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edb

General

Target

073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe
Size

72KB
MD5

c52359b57f84782b520914960b104280
SHA1

b3c7572130f877d941f565eb6690af8e835d6dd3
SHA256

073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edb
SHA512

16b8dbe49fda6f9478ce02268db009b1235c277a04f153dde740701bbe351ac1aabe2d5e43d60230753bdcbf9103589bf00eb8ff50ca79034813369cdb5e5757
SSDEEP

1536:vd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211t:HdseIOMEZEyFjEOFqTiQm5l/5211t

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2488	omsecor.exe
1860	omsecor.exe
2084	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2468	073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe
2468	073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe
2488	omsecor.exe
2488	omsecor.exe
1860	omsecor.exe
1860	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2488	2468	073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe	30
PID 2468 wrote to memory of 2488	2468	073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe	30
PID 2468 wrote to memory of 2488	2468	073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe	30
PID 2468 wrote to memory of 2488	2468	073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe	30
PID 2488 wrote to memory of 1860	2488	omsecor.exe	33
PID 2488 wrote to memory of 1860	2488	omsecor.exe	33
PID 2488 wrote to memory of 1860	2488	omsecor.exe	33
PID 2488 wrote to memory of 1860	2488	omsecor.exe	33
PID 1860 wrote to memory of 2084	1860	omsecor.exe	34
PID 1860 wrote to memory of 2084	1860	omsecor.exe	34
PID 1860 wrote to memory of 2084	1860	omsecor.exe	34
PID 1860 wrote to memory of 2084	1860	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe
"C:\Users\Admin\AppData\Local\Temp\073b1222a5f6399a945b64f0cf9810a5cc639552b1eeccd351a845e097aa7edbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
1eaee24b01bee2ddb2c26d08a0288358

SHA1
5156f45f4db92df034d09baa78333ece1efc3f72

SHA256
13e36bb15ada6d25417ab6d6ac4c7758fedb27eb93c8370b65385791ce158ad2

SHA512
71ac2040e9499775833316190f2e366a5b57b4dc512863eb98de2856967fa92ed0bb57f937ff819ab763061aa7eb87e86f912fda6541a46f6bad1432f939f491

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
5387762a48818347e633e9d33bfe22b5

SHA1
6929ca93663ebaa4f37bc2a31caa170b42c3ff3a

SHA256
39daccfbe466b9466d074ea7f8f702c5c4180a63ed0b62a92967d6d755d5f8b5

SHA512
b09053761446385d9eab8a8f1bf6c42f3a8a41eb657e1bfe307cc1ce963f138783935b72286d68ec4eaf1190d119a6a10bb844c27e1139303b6edc424db5822b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
ad308aba38e31455383bf25c0b784201

SHA1
a859a0fe4ba2b8afe038fc5fb9b4a7280f0336aa

SHA256
f7f89e3e26cbcfbe7e840f30eaef74cad13bb84c391a6029e8f36bc3df54149f

SHA512
2c5af05b9fe8770e552fa8afa994457305884e17cc643a2d0588dc25c05428fd2b048dc95d93db316d9540ed2d2d97cda3d9ee0fda3b32b1d21a4d42475dc524

Download Submit

Analysis

Sharing