neconyd | e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656

General

Target

e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
Size

61KB
MD5

29db121964d3987368902b55b643793d
SHA1

553a81e58811e2cef168ed99e967a54bd1264d83
SHA256

e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656
SHA512

ad02a5bf16b01bd7a5b316264477c03ea90ddc8108fddf792d0635417158a0e04db1635ae7ce97562fe1003f0cc44735311f36136133786c26c83e1adb86d0b8
SSDEEP

768:7MEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uAn:7bIvYvZEyFKF6N4yS+AQmZIl/5/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1364	omsecor.exe
628	omsecor.exe
2000	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2388	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
2388	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
1364	omsecor.exe
1364	omsecor.exe
628	omsecor.exe
628	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1364	2388	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe	30
PID 2388 wrote to memory of 1364	2388	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe	30
PID 2388 wrote to memory of 1364	2388	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe	30
PID 2388 wrote to memory of 1364	2388	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe	30
PID 1364 wrote to memory of 628	1364	omsecor.exe	33
PID 1364 wrote to memory of 628	1364	omsecor.exe	33
PID 1364 wrote to memory of 628	1364	omsecor.exe	33
PID 1364 wrote to memory of 628	1364	omsecor.exe	33
PID 628 wrote to memory of 2000	628	omsecor.exe	34
PID 628 wrote to memory of 2000	628	omsecor.exe	34
PID 628 wrote to memory of 2000	628	omsecor.exe	34
PID 628 wrote to memory of 2000	628	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
"C:\Users\Admin\AppData\Local\Temp\e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6437db32265d6ba4074c53ae747b54b0

SHA1
e7bbe389f4ad57b72a0b8c56ff8dd1b1413bfb21

SHA256
182ae29fa0950ef41afab7b5465242ddefad7c06addbdcad973ed3e342e60e71

SHA512
a84124540b0f048793ae661722d40ad6148b4383a38d16ac6e21d19c1e7b200d928639a284dfe19405158a3483ac0b5f4d34c59e7a7406134a9a521a7c715380

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
eb9c0d55070264d13507babc2658d65c

SHA1
c913bfd5b51808886dc25041a6228979e3707a89

SHA256
d9049d64bc45a20223dafc5287c9254696ae7b1c7da50d0800f4cb1dcc377d02

SHA512
42af483a4081d8ae921dcb819766af24d74ca41393cf5794c3998fadf0f1b017a84d0f746319fad2e155a24ad136b8ac74513dcfaa0264fb78cfc7d1db2fb5f8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
11eab42caae05f99e4b14166bf00755b

SHA1
fc39b86d595f30cdbfbb0510965a14927e88c983

SHA256
32b0a8ad5e229201b2e514bd83a3798dacfa19b558bea8378db87e56d68eb610

SHA512
c246b6a712083d1a393407a6fe93160f5e360f3f49de94e16069afe6a14ff263aa7f152aee9dd80fd9f635e7c2eee88dcfd22e97b790c8492f1b4c096bc6a327

Download Submit

Analysis

Sharing