neconyd | ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e

General

Target

ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe
Size

61KB
MD5

30b78332b12da915a353d82b9707a34a
SHA1

fb10fb84b936d886b18b8b1d7880b5f681ba6dc9
SHA256

ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e
SHA512

3e7eff7aa24b70c927b5ef45caa87249e7de55c8f7d672c1923793b1cdff779dc4536a61854b57c4794f3f4b2abb1797451524f6e2d6e94d9b6c6e4b6417d786
SSDEEP

1536:nd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:PdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2556	omsecor.exe
2640	omsecor.exe
2660	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1988	ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe
1988	ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe
2556	omsecor.exe
2556	omsecor.exe
2640	omsecor.exe
2640	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2556	1988	ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe	30
PID 1988 wrote to memory of 2556	1988	ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe	30
PID 1988 wrote to memory of 2556	1988	ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe	30
PID 1988 wrote to memory of 2556	1988	ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe	30
PID 2556 wrote to memory of 2640	2556	omsecor.exe	33
PID 2556 wrote to memory of 2640	2556	omsecor.exe	33
PID 2556 wrote to memory of 2640	2556	omsecor.exe	33
PID 2556 wrote to memory of 2640	2556	omsecor.exe	33
PID 2640 wrote to memory of 2660	2640	omsecor.exe	34
PID 2640 wrote to memory of 2660	2640	omsecor.exe	34
PID 2640 wrote to memory of 2660	2640	omsecor.exe	34
PID 2640 wrote to memory of 2660	2640	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe
"C:\Users\Admin\AppData\Local\Temp\ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
c7f133d46260b0777bb0d10892721846

SHA1
cb69e6fbbba918aae93c572d1f42fb58da4f56ce

SHA256
a8699ba45839404d5817dafeca6ca7f4ead6f6b57f295b6d7de100c8f127ee96

SHA512
a81ced56da8c787e60c5473564490ffe40a00a813784ea219860670f54de1f2e48d84ea8ce5b92545bbffa8c1ca79d6a3a793673a6a05a1f71809e7c73e853a9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
3334166baa96a6da293da352830b65b2

SHA1
9516ab02f5e1220680452894e3b1c2519560f682

SHA256
800d8a15f0bf468771d00662e4e542bb1c2bd8b54d76a9c50e6900515cdbf70a

SHA512
668e0b523fbd604e19378e5b275e06288a9c8e7be263e3ddac0f3082dd91abf4b1158aa2f68be439ec1760d6bf73b2d1d9d8d7fa90a71dfd667120d4eca5d924

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
837d2430aa5e63a373f78939cb4774f7

SHA1
74ad19844a52b09913ed853c05b6ac0a817b31da

SHA256
2fde492a3af4dcabacf930467e8dceb17e4570299b5c0ee63c0b602c199215de

SHA512
f4a1b8b2c1874fa65862ee9c661a96e51191b92ac803480ad8e0b270a12f405265a75bb92166800da38c8daee07d446c3c2fe4d36f1498e0794a19fbdb2a6b7d

Download Submit

Analysis

Sharing