neconyd | f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f

General

Target

f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe
Size

64KB
MD5

69f7cc6fd27e49643574afd0a282bbb8
SHA1

27fc663276af53968eee2628bd12596696200bfd
SHA256

f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f
SHA512

6e995f9342b251bfb45b9a883fb9f9842df6f7d6da0dfb6067b269e60c9f09d1390edc894385a679c1db8c22761ee357ced0d7f3c184bc3c0cc27ce3d484a477
SSDEEP

768:jMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAH:jbIvYvZEyFKF6N4yS+AQmZcl/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2276	omsecor.exe
1592	omsecor.exe
952	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2260	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe
2260	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe
2276	omsecor.exe
2276	omsecor.exe
1592	omsecor.exe
1592	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2276	2260	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe	30
PID 2260 wrote to memory of 2276	2260	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe	30
PID 2260 wrote to memory of 2276	2260	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe	30
PID 2260 wrote to memory of 2276	2260	f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe	30
PID 2276 wrote to memory of 1592	2276	omsecor.exe	33
PID 2276 wrote to memory of 1592	2276	omsecor.exe	33
PID 2276 wrote to memory of 1592	2276	omsecor.exe	33
PID 2276 wrote to memory of 1592	2276	omsecor.exe	33
PID 1592 wrote to memory of 952	1592	omsecor.exe	34
PID 1592 wrote to memory of 952	1592	omsecor.exe	34
PID 1592 wrote to memory of 952	1592	omsecor.exe	34
PID 1592 wrote to memory of 952	1592	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe
"C:\Users\Admin\AppData\Local\Temp\f415a9ac440615626abc26beeb5ffe0ca3647b9a5c9d549a102cda5ceeeac60f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
bbd228adbe5d52b27549643a21bcc571

SHA1
044e4598c888ca270ba929f568cd892a7ae89362

SHA256
ec6c28bc8384d6afaf21a20e86c72a66745d69cc576f93c0876dc26245376653

SHA512
4ec61c76e627e1bfebbc39e3e4e82ecd98869a3bf0747610659100b57fa555123b5053fa7711bed8e9f15678e786ae751cbfe8a376505f78552424128a0dcbc8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
038ef208d6ef3b924c141a15a913cdd2

SHA1
ac6a06d33ff4307510b80939802ac9b186253e7f

SHA256
dccbe985a5cee94683168accc5cd5b91e84112c20d3aa85f543dd949cd76295c

SHA512
4e926b4f3cdf6d3a47caf3984cbe97d25db0d29b652706ea951e8199eda534702afb5b4c0fe83c5c50ed2de74e5635eb1413739517e5c73d066b7ed2cd3be5dc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
c7653a1a799af28dfc1c13a7d39b4ac5

SHA1
0befaf0e9f03ce2b7e65ed1030753ee5cb8a3fee

SHA256
e8e9457b8230c46341f67402fb21b5842d21278c1a7b429566453c4166f63172

SHA512
effbac63e939555f5f7adba9a53424b1c5cfed465456f4c9018e645be79c95bb6e81feb2b42dec14311fcd289b0034cfd493e4f597012956f7f37d0dcb827b0a

Download Submit

Analysis

Sharing