neconyd | 01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b

General

Target

01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe
Size

61KB
MD5

0dcb12355a629fd756e3c46245639e20
SHA1

55817ca7ba09edda8dee7bb89cb7983a099004f7
SHA256

01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b
SHA512

e7a810d7426eaaae7120fd4bb2a8f27a80f103bf4e3df7e93190e7fabc1c814dca9d72e213bdabd54b95438f9c1dc79ec0b52a856b9dc8876341d12979d953cd
SSDEEP

1536:4d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZnql/5d:IdseIOMEZEyFjEOFqTiQmFql/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2760	omsecor.exe
2928	omsecor.exe
2748	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2692	01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe
2692	01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe
2760	omsecor.exe
2760	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2760	2692	01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe	31
PID 2692 wrote to memory of 2760	2692	01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe	31
PID 2692 wrote to memory of 2760	2692	01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe	31
PID 2692 wrote to memory of 2760	2692	01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe	31
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe
"C:\Users\Admin\AppData\Local\Temp\01c05dcd1c267a3c3786d9b515e0ebe3ed8e3497bbadeaec723780b2165b2e8b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
19fa0192cfe5d6a6df1cb2563f3a2262

SHA1
4ad52263d5c3dbe71d0568836aa25f062641ee7b

SHA256
a7f765f9108fbae68a0469d1f9ecdea8db27c58f96880b9b91d0f738b7d1f841

SHA512
35f7eaa42fd0dfe161d5eb6a359c61606745cb284a74f70c32a52ad3c62b1ce02c44496b81534149b6e934590577c505acfc3d0090628af5e89cf2757623c44e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
bb7d5149f0a9231bcab3547b9cbf1d55

SHA1
ad2545eaef7f1ade90def02d3334b86867c4c143

SHA256
391e210a115ee2988a80fe895ffb32fe9533fc5c284093d2eb97c97ba3248343

SHA512
ea393cdb7be7b9133d68eab87cdb9f41f25121bb24ac45924334bee72505ca7cc5c5034c64051cfc0d69c2c57fedbecc903597da8e99a1167970a2ad4cff3415

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
d7edc1d94bf00147b225696b4044cb08

SHA1
2510e7b2b82e9d2597c84f5d6d71a6e50454b02d

SHA256
f6291c14e5ce556db92eef89adaaaee41f43d1000cc39a5ea8575e4d2b8aa984

SHA512
de87bd501d08aee8efabc203f16033e4804ff84bbaea32c9d45c2a495cc86bf9483df2c5fe92c816ad371cd48a6585a905f38f4c9ea6c051bf15de0df86a4691

Download Submit

Analysis

Sharing