neconyd | dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a

General

Target

dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe
Size

80KB
MD5

795f2d2e2962e83c62eaac64a020763f
SHA1

bca9efebd53235dd835c1534a0b53a9f58a6fc6f
SHA256

dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a
SHA512

a8c90d2cdcd4f51296dd0d7561b085ea7c776d6a3fa213256d26df6820cacc472fedd976110ce407bc77ce24fe1d42ac922ce46c2a72a906805c42809c1fa34b
SSDEEP

1536:Wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:udseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2684	omsecor.exe
2868	omsecor.exe
2520	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2780	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe
2780	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe
2684	omsecor.exe
2684	omsecor.exe
2868	omsecor.exe
2868	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2684	2780	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe	30
PID 2780 wrote to memory of 2684	2780	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe	30
PID 2780 wrote to memory of 2684	2780	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe	30
PID 2780 wrote to memory of 2684	2780	dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe	30
PID 2684 wrote to memory of 2868	2684	omsecor.exe	33
PID 2684 wrote to memory of 2868	2684	omsecor.exe	33
PID 2684 wrote to memory of 2868	2684	omsecor.exe	33
PID 2684 wrote to memory of 2868	2684	omsecor.exe	33
PID 2868 wrote to memory of 2520	2868	omsecor.exe	34
PID 2868 wrote to memory of 2520	2868	omsecor.exe	34
PID 2868 wrote to memory of 2520	2868	omsecor.exe	34
PID 2868 wrote to memory of 2520	2868	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe
"C:\Users\Admin\AppData\Local\Temp\dbe250885f238b504e3737d38447fb01093f93d118c332841b2e8892e964258a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
5bbe6946a8f827a135abf8b68fa6537c

SHA1
a7f92e3535de609bd37ddca11248fcf343228fdc

SHA256
084929250ba6eaf5c333f24ec78cdd96393b59e950d054bf38a656d44ae3c8a0

SHA512
2f499c1f93471218db24b6e48d5909ec3e8c8a09061f53cdc5985925c628c2049b94873b421d64b5296645546060689be272149a6b4b6122b7e015abd17af822

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
33bd80b6b176d6cb878fecb0d76ce334

SHA1
2f8983f74fd27909a13fe5baef88f20d56fd770e

SHA256
b919e9e48c5dcac0132670cc1c41773125da8e613e6b3efbcaaf7099caed3e34

SHA512
26cf55863a087f85fad2142bc2dad0eaf5ccf5ce721686f25b68c353e1710c12df5ac70d53bd6cc706a1b5da32e16f2ff3ba8c772adb1c2db35ad4054a0c02dd

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
4ae74d8fccbb574cce44f9c2e58e57ca

SHA1
b9ca0501b48844c042164bd02e9b471bc372e6ea

SHA256
efc4d14910505d220b650e25e5b23214736e872b7873730bf28f24e08b948fda

SHA512
fb716f47105ed7178d12ebfdacee1a8837cf9024848171c9742d2f9de9a754abbac8ac21d9e9290b815a9f9e3014aa65140a84c1435b1dd53537ba1a9a03e492

Download Submit

Analysis

Sharing