neconyd | 0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7

General

Target

0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe
Size

76KB
MD5

fce9f1b087d1e9d225ae7a62e924c600
SHA1

3e8f30a12a44e60c928163b9aa6b07934e70b12a
SHA256

0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7
SHA512

943e072de7b00d48cf81d39a0db9d75d777847279fa0a6fee58c2da886adacebb82dab0bcbf3e9ed216b28ffadbd70fef8c558d9d5a51fc4857b98ad4695948c
SSDEEP

1536:gd9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:AdseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2688	omsecor.exe
2088	omsecor.exe
1476	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2140	0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe
2140	0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe
2688	omsecor.exe
2688	omsecor.exe
2088	omsecor.exe
2088	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2688	2140	0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe	30
PID 2140 wrote to memory of 2688	2140	0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe	30
PID 2140 wrote to memory of 2688	2140	0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe	30
PID 2140 wrote to memory of 2688	2140	0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe	30
PID 2688 wrote to memory of 2088	2688	omsecor.exe	32
PID 2688 wrote to memory of 2088	2688	omsecor.exe	32
PID 2688 wrote to memory of 2088	2688	omsecor.exe	32
PID 2688 wrote to memory of 2088	2688	omsecor.exe	32
PID 2088 wrote to memory of 1476	2088	omsecor.exe	33
PID 2088 wrote to memory of 1476	2088	omsecor.exe	33
PID 2088 wrote to memory of 1476	2088	omsecor.exe	33
PID 2088 wrote to memory of 1476	2088	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe
"C:\Users\Admin\AppData\Local\Temp\0eb34b4215e71f1089dda8186bce570fad84a11e944e7308aa59f7c06353a2d7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
3387fb1a125300b58bca90c77a1bd77f

SHA1
064b47c4a98e60fab74e07215e54c20d3e7e5b4c

SHA256
fb280d94e666f5cbe5014ac90818b1c7c15baad90b52b7f891f45ecb6b1639bf

SHA512
c1c42748c638b8259919d2606850344e7bb38e863d71c6ac705c80ddb3a21c050698daef81ffb5865ad96b6d88c88e4e0cc69561394ece81d57f9e0d1df7aa1f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
6f3a514715f66a106dba89dceec7c67c

SHA1
fc39126c171ddb991f8e16abb0cd194f77a75a64

SHA256
ef3de2da483b35c2547c2bea9374a91ee4736025979103937862829a2c447ec2

SHA512
dc77d3e52963c713eab5c0730f26a335a551dd71d95277ae4fa05258a5746d03e59beab24932412dc36e7d304e7783f83edeacb8ccafef5c781e736e43015352

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
de3c151e50c492856dde04148517a5ab

SHA1
8eb250c6a9f2863b683fb77b85b566d8efec6698

SHA256
43b679b4eb8dd0bd009461dc1ef9b714618393cf078a17c9a0a142a43f83973d

SHA512
a03ea05c28e950c6e9cfe4cf5986279734462b922fdd04d36d60d192ee139e08b8dfc8e5b187c3fa9cd69a2fc248b25e0858613a66536e76a9a9e04514af28c5

Download Submit
memory/1476-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2088-29-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2088-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2140-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2140-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2688-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2688-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2688-17-0x0000000001F50000-0x0000000001F7A000-memory.dmp

Filesize
168KB

Download
memory/2688-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing