neconyd | 5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2

General

Target

5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe
Size

80KB
MD5

adfd08079cc435a0f9fa6092b0359870
SHA1

0ca4754b10ba0efedba325c441dcbdd4ac8f404e
SHA256

5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2
SHA512

ac0d573d5f16d5191d705c03f900f29d1100b2ca1836efc020c79e35aaf391ae3040fd43892bd50d81335951d30fe57a08be7e2d9065c0ee3e32f53b1c3cb974
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:7dseIOMEZEyFjEOFqTiQmOl/5xPvwv

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2368	omsecor.exe
1784	omsecor.exe
2316	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe
1740	5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe
2368	omsecor.exe
2368	omsecor.exe
1784	omsecor.exe
1784	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2368	1740	5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe	30
PID 1740 wrote to memory of 2368	1740	5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe	30
PID 1740 wrote to memory of 2368	1740	5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe	30
PID 1740 wrote to memory of 2368	1740	5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe	30
PID 2368 wrote to memory of 1784	2368	omsecor.exe	33
PID 2368 wrote to memory of 1784	2368	omsecor.exe	33
PID 2368 wrote to memory of 1784	2368	omsecor.exe	33
PID 2368 wrote to memory of 1784	2368	omsecor.exe	33
PID 1784 wrote to memory of 2316	1784	omsecor.exe	34
PID 1784 wrote to memory of 2316	1784	omsecor.exe	34
PID 1784 wrote to memory of 2316	1784	omsecor.exe	34
PID 1784 wrote to memory of 2316	1784	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe
"C:\Users\Admin\AppData\Local\Temp\5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
692ca395d89625c8100071a3db65c7b3

SHA1
af728e91ed44d00e87ae64a703dc9c7061dc98ab

SHA256
8b373e65eadde04f9384a23ca1b73fe7e2cafde9f4d827c011737172fdb9e373

SHA512
ae49cc55ad75e4ff5dfb83d28021b6fa64caf0811f8867d0a154aa0db2ac108fdfdfe0052d2a0c4d946ab8171e94f3e8f28955b15ab4872948685c4e7cfc40b1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
0363c1b3bf360b492d019e0ae4c8e88e

SHA1
5583cb6626043ce67833ba899ac40e40fffa654d

SHA256
794bad4198577160e16f6c8d2eb3606a4c68944c05e517f7d0be70ef92e20492

SHA512
25cf4b9500b55efa5023f39efe2df1f17014420d0b9b859bf7cef18fefc63505b3379e2eab2a3823f83fbabd869b310fa5749f22ba43a544ff075218830fc84e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
635aa3bb285af7699b137f79bbb13343

SHA1
e4a82d22f0cb75ec0b01a87312881820b5d84529

SHA256
55306767e749a5d623fad7ad163d982063145e8d410d7cf303b38cad597e6dde

SHA512
b37fea0e01b5f0769bd8aa28374cf1d2a5d97f2ed60701f845e92bb65ee7729c2e5748b6bb24015f0fbaa936194c5220af841dab678249e6b48676b2aef28e2c

Download Submit

Analysis

Sharing