neconyd | e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656

General

Target

e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
Size

61KB
MD5

29db121964d3987368902b55b643793d
SHA1

553a81e58811e2cef168ed99e967a54bd1264d83
SHA256

e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656
SHA512

ad02a5bf16b01bd7a5b316264477c03ea90ddc8108fddf792d0635417158a0e04db1635ae7ce97562fe1003f0cc44735311f36136133786c26c83e1adb86d0b8
SSDEEP

768:7MEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uAn:7bIvYvZEyFKF6N4yS+AQmZIl/5/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
396	omsecor.exe
1968	omsecor.exe
1700	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
2528	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
396	omsecor.exe
396	omsecor.exe
1968	omsecor.exe
1968	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 396	2528	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe	31
PID 2528 wrote to memory of 396	2528	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe	31
PID 2528 wrote to memory of 396	2528	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe	31
PID 2528 wrote to memory of 396	2528	e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe	31
PID 396 wrote to memory of 1968	396	omsecor.exe	34
PID 396 wrote to memory of 1968	396	omsecor.exe	34
PID 396 wrote to memory of 1968	396	omsecor.exe	34
PID 396 wrote to memory of 1968	396	omsecor.exe	34
PID 1968 wrote to memory of 1700	1968	omsecor.exe	35
PID 1968 wrote to memory of 1700	1968	omsecor.exe	35
PID 1968 wrote to memory of 1700	1968	omsecor.exe	35
PID 1968 wrote to memory of 1700	1968	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe
"C:\Users\Admin\AppData\Local\Temp\e30e36f062e8de21f64a995e8d6d1fd10ba0c4a26d91fd89821e1943a55bc656.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6437db32265d6ba4074c53ae747b54b0

SHA1
e7bbe389f4ad57b72a0b8c56ff8dd1b1413bfb21

SHA256
182ae29fa0950ef41afab7b5465242ddefad7c06addbdcad973ed3e342e60e71

SHA512
a84124540b0f048793ae661722d40ad6148b4383a38d16ac6e21d19c1e7b200d928639a284dfe19405158a3483ac0b5f4d34c59e7a7406134a9a521a7c715380

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
c93da69abdecdc226a8cc3b1146ca12f

SHA1
8c1a02f91d07530710c0ce8b49afcddfccc1d231

SHA256
a7c843db5444e171451f8cefd0e6049345c83bf9dd8213970f8cd74c6bc8fa38

SHA512
85be3cab20d9f342f883afc638147f013367ede43ef7f190fa09f5e2dd08b01972e91707b8c1eed848449faec4492afab75d5721f25fdd49b1dba168ce85aa40

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
e0f2b994dc938746e1180b89597ada8c

SHA1
adb31b4b073eb92fe80cfb8268098427ab828503

SHA256
d92490081a120ad2137cbc0422bf93d71ea29b9db3a77e8f02a877c57c3e8248

SHA512
a1b6d0dce6804c410f3250d142337650033762128defdcde763c370a4e0cc278758af3c9bc4e84582c8c9c077047c544e6678bca50306e3ad8d84af5a48d8e27

Download Submit

Analysis

Sharing