neconyd | 376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7

General

Target

376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe
Size

61KB
MD5

487f765aae2a9d9d3bc583e608c27a10
SHA1

b39235fefdbe3a341e0c13e46928e2fdd9022a01
SHA256

376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7
SHA512

41e4ab9da03d87ad324ce56d18a1aaa02f1f0121d865065beb880a45a0c30572c94c19f9616d7395a0088310d859f5592a04809310ef6fee4e8f36401e3ad601
SSDEEP

768:7MEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uA:7bIvYvZEyFKF6N4yS+AQmZIl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2908	omsecor.exe
2484	omsecor.exe
2884	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2868	376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe
2868	376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe
2908	omsecor.exe
2908	omsecor.exe
2484	omsecor.exe
2484	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2908	2868	376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe	28
PID 2868 wrote to memory of 2908	2868	376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe	28
PID 2868 wrote to memory of 2908	2868	376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe	28
PID 2868 wrote to memory of 2908	2868	376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe	28
PID 2908 wrote to memory of 2484	2908	omsecor.exe	32
PID 2908 wrote to memory of 2484	2908	omsecor.exe	32
PID 2908 wrote to memory of 2484	2908	omsecor.exe	32
PID 2908 wrote to memory of 2484	2908	omsecor.exe	32
PID 2484 wrote to memory of 2884	2484	omsecor.exe	33
PID 2484 wrote to memory of 2884	2484	omsecor.exe	33
PID 2484 wrote to memory of 2884	2484	omsecor.exe	33
PID 2484 wrote to memory of 2884	2484	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe
"C:\Users\Admin\AppData\Local\Temp\376e2a6a8b394a77d9759700c947ba5ed08d9afc1841cfd25ae0a3a38b5ccae7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
d907e95a690863a63feddc08d2580e20

SHA1
1591cd3fdb03853f41a11c86b1135aa9adb1be88

SHA256
e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0

SHA512
e4fb0181c9fb9a04e3595b73742fdde16841592ea50b1dc50a52e2f25350cb83ea3a295a0d369bc5d1610c0455f4a3921c1fc60111a2bf21b3219cdadf238471

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
5e80f4d74e92297a39dfce3c55032873

SHA1
3ab77be41393d991e681282edc83340d8ceb085b

SHA256
4a200ee6f39b2a58d0ff7c66bbd2c848448334e0eba8840a0f3c06697ff5a4d0

SHA512
9a1224a5b4c8f5c337f4eb46d463a82dc42098ea0096c210f433835fea2ec1cb7273a9759bc6808464ec29becf3ef1f505a59d758d401182dbd93b7412371e4f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
e5b3d1020efd4b4cde3192491cc91a4d

SHA1
02af0e6876e60c81773e3ec7b260a57f9c1ea458

SHA256
da83852554f668c27ab849c7e6a341de6d76dccc0dce38b83437734cc71a2862

SHA512
c90bb36c930d3d192b173b692f6240c67c713f5363169089b3da7a1804c3ac11c92a81628cef9e0726bea8aa2da74fcaa56137c730c05eec9ed8bdc18edde2d7

Download Submit

Analysis

Sharing