neconyd | 0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a

General

Target

0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe
Size

61KB
MD5

56525fd577862dd0a94ed4a7731fa970
SHA1

7f327ac5b52d96a43c258e7e2800f57a011b7c84
SHA256

0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a
SHA512

c7bade7acf19702b1c78aaa1f2548be9d023809a8289023a26e3062393e7b9df9aff06990212e9fa1778aa13a0e546d7406ed8a0b931e1edf5ef3ff5583902fe
SSDEEP

1536:sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZnql/5f:UdseIOMEZEyFjEOFqTiQmFql/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2268	omsecor.exe
1564	omsecor.exe
2020	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2080	0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe
2080	0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe
2268	omsecor.exe
2268	omsecor.exe
1564	omsecor.exe
1564	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2268	2080	0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe	30
PID 2080 wrote to memory of 2268	2080	0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe	30
PID 2080 wrote to memory of 2268	2080	0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe	30
PID 2080 wrote to memory of 2268	2080	0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe	30
PID 2268 wrote to memory of 1564	2268	omsecor.exe	33
PID 2268 wrote to memory of 1564	2268	omsecor.exe	33
PID 2268 wrote to memory of 1564	2268	omsecor.exe	33
PID 2268 wrote to memory of 1564	2268	omsecor.exe	33
PID 1564 wrote to memory of 2020	1564	omsecor.exe	34
PID 1564 wrote to memory of 2020	1564	omsecor.exe	34
PID 1564 wrote to memory of 2020	1564	omsecor.exe	34
PID 1564 wrote to memory of 2020	1564	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe
"C:\Users\Admin\AppData\Local\Temp\0fd2a258a3498905a7f0e2a9842d87586794b832f173579d00ca505f1fb0f59a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
9b32bc6bc7360c1d8f8276b301281a1c

SHA1
d6b2185cf3e19931ae745f748ba2c934b87f6086

SHA256
33ee7d2e150ab8ec914eef02c05acd3beccbd9265ce3c9342ed04bd11d8bc9e1

SHA512
2429c20542f6f31acde2824b34d59dcc3ff7d40c2d8e9b4f52139d010c7086dac10807aa7ff09b28c79995774fd2003ebe876446772403ec94910c4a22408ada

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e8e30a3de564cdaf28828c1fd9704582

SHA1
125ea2734fd359c935874906016012baa0c23965

SHA256
459707c5c74167112e692226cd0dde4e7f5fe3fd0c7dc0338d96f92e11a65b57

SHA512
233914133290aaf2c7fb9a955afd630c5c9978bfb556456145e5a466ef67b20ab2d44541284927dd638ffef2bb746ba15afdc00eabd4a23f6a624e8f7002f91a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
3867961ac6810c750a68f9c2d5b1928b

SHA1
4b21ba4195bb3e2d3d91c6bc4f783118b3975818

SHA256
deb2baacc5f957dee5f2963610ee4b984fe10284caacb5a3fc9dd331a8ba47fa

SHA512
6201d2ac9ca2b849fc2d2e3d17a8ef84d1b7bb72466cdc69a01aed1944ac180e922d83795346e295ca7e440d51d31f3325fc957776d100bcf95a0b58f488c833

Download Submit

Analysis

Sharing