neconyd | e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00

General

Target

e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe
Size

61KB
MD5

9b1bd6f85c7c3c12775b80a30f5af5ed
SHA1

02cb3e82153dc7ec331b89e467536d141438ef63
SHA256

e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00
SHA512

b00fcda60ff8a70ff37cb0991d1de5fc993361eb51f3174343499a37944a58952c487d96fb6f7c2155e021f8d2f1b1f714bf4cf48d2c041ccf83a52a9da9f741
SSDEEP

1536:Qd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:QdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2340	omsecor.exe
1648	omsecor.exe
2800	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
524	e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe
524	e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe
2340	omsecor.exe
2340	omsecor.exe
1648	omsecor.exe
1648	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 2340	524	e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe	31
PID 524 wrote to memory of 2340	524	e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe	31
PID 524 wrote to memory of 2340	524	e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe	31
PID 524 wrote to memory of 2340	524	e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe	31
PID 2340 wrote to memory of 1648	2340	omsecor.exe	33
PID 2340 wrote to memory of 1648	2340	omsecor.exe	33
PID 2340 wrote to memory of 1648	2340	omsecor.exe	33
PID 2340 wrote to memory of 1648	2340	omsecor.exe	33
PID 1648 wrote to memory of 2800	1648	omsecor.exe	34
PID 1648 wrote to memory of 2800	1648	omsecor.exe	34
PID 1648 wrote to memory of 2800	1648	omsecor.exe	34
PID 1648 wrote to memory of 2800	1648	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe
"C:\Users\Admin\AppData\Local\Temp\e98748b8ccb456573ee361c8e5e437b7b2cb3e0336baa6e161d15564795e0e00.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
90ec631e49fff74b434d78dfe64bd9b5

SHA1
57571ba184eecd92d38f66e2ae78df0af6a4634b

SHA256
d0de2a709b69f98de2a17c6c0642c67b7b567011aefa7e9a205f99d83e32eb3d

SHA512
cf5e24c9fef88a9175a07990a337822bdc98a1999c2ce66ba66cf2abf502bce8257c66a8053a0132d47039a1407c45e747d61400ef3a1a8fdc73973e1735090d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
3f42e423b12bd55910a7236befb98f63

SHA1
0b9654a248e814e6e28b9b9d6e68579698857b87

SHA256
f8ad1e04b920025e986f5a3fac2e51cbb07de2afe154eef12d09652c20cd7600

SHA512
7a3f5f389ba05dd9aded07e339a32f33d6955d569474ff70ca2f8d7e3c44206e4b26ec95c9700522e21cc01f91a6fbec717ee7ea618655d53ab643dc5c64b9c3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
050a1d70efba8282f00992a0c4d18a5c

SHA1
b816c729049dee9f4b81e325970aed1950036805

SHA256
615fc020586d0f92f6e4df63d91174d90225cf7938dccb5435f8a6380627f75c

SHA512
b84156011d4a5c04892cbce06f66991cb858bbbc29b460974226a31fd479ab024a0860ac9405d1f8887f4622e93f80644e191a76a9d70931f54729a3cd8f72f0

Download Submit

Analysis

Sharing