neconyd | e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0

General

Target

e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe
Size

61KB
MD5

d907e95a690863a63feddc08d2580e20
SHA1

1591cd3fdb03853f41a11c86b1135aa9adb1be88
SHA256

e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0
SHA512

e4fb0181c9fb9a04e3595b73742fdde16841592ea50b1dc50a52e2f25350cb83ea3a295a0d369bc5d1610c0455f4a3921c1fc60111a2bf21b3219cdadf238471
SSDEEP

768:zMEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uA:zbIvYvZEyFKF6N4yS+AQmZIl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2020	omsecor.exe
3044	omsecor.exe
1792	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2156	e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe
2156	e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe
2020	omsecor.exe
2020	omsecor.exe
3044	omsecor.exe
3044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2020	2156	e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe	30
PID 2156 wrote to memory of 2020	2156	e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe	30
PID 2156 wrote to memory of 2020	2156	e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe	30
PID 2156 wrote to memory of 2020	2156	e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe	30
PID 2020 wrote to memory of 3044	2020	omsecor.exe	33
PID 2020 wrote to memory of 3044	2020	omsecor.exe	33
PID 2020 wrote to memory of 3044	2020	omsecor.exe	33
PID 2020 wrote to memory of 3044	2020	omsecor.exe	33
PID 3044 wrote to memory of 1792	3044	omsecor.exe	34
PID 3044 wrote to memory of 1792	3044	omsecor.exe	34
PID 3044 wrote to memory of 1792	3044	omsecor.exe	34
PID 3044 wrote to memory of 1792	3044	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe
"C:\Users\Admin\AppData\Local\Temp\e0d18faff83390d3ba33c78308833b9476866efa2d23662fa2571d79796702d0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
fc28dce68bdf0f66de99ba3f143f5974

SHA1
965c75fc8782b4dd8738231e7a67817c30f0fee7

SHA256
f6d87c3ab7e0f0929328c26ed64fbeb72e45a05f53f400ff6c321f573f836ed0

SHA512
eba193964e66fd4f98065bc9e587b86dc3989429afb64d1ba914c39524d48fd7d4a66552c15ee67a5e7346f26637be01f2d349ee1c3854a9926839a5e4c2c988

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
a54b6d51a28b6b592a08b27702cc182a

SHA1
7c45567972de1f925935f10cd2f9ca993ded18a4

SHA256
283828f4611ceb3bbda48828a9d4a62ed72f6e79f9469aeab51c2c05c822ff9d

SHA512
47f1ce0029a3e40eb3c936a5d366fc1f962f17f9789e0dba8f952aa2eca1f9b3c6ec89267b8d6800d3be5cee33dc93bd2f095b9c5956197ae18e5c2b515d15a0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
6c4ea83f21bf7b442d90a62a7f9d080e

SHA1
4a44589b1cb112f9c74830aee4422aba2a24fa6c

SHA256
ab256948341d2b40c8395027d1e40ad068c8b3abaee850fb393fc727eab457ab

SHA512
accc54d699c34a07a1cd0430098afa9c3ade23bd569967918f3447260d7be1e007d12c1b774efe9a49bacda044d07632bb7ee763dad3889d8484b79b2a10aa61

Download Submit

Analysis

Sharing