neconyd | 0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73

General

Target

0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe
Size

80KB
MD5

eb683a7ff8d2ae492645d4de11ee4920
SHA1

fe6ca2f4565f85594762cba22c6fce71b245189e
SHA256

0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73
SHA512

43aa80edb33741351df8d19447dd3ad7b7f24fc25404466e501f72b655b230dd0c9a5ca9b3bc1afb4dc4aa6e7d14999bffa7c77bb233787d60242063e71b6b04
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:+dseIOMEZEyFjEOFqTiQmOl/5xPvw3

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2688	omsecor.exe
2396	omsecor.exe
1656	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1320	0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe
1320	0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe
2688	omsecor.exe
2688	omsecor.exe
2396	omsecor.exe
2396	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2688	1320	0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe	30
PID 1320 wrote to memory of 2688	1320	0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe	30
PID 1320 wrote to memory of 2688	1320	0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe	30
PID 1320 wrote to memory of 2688	1320	0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe	30
PID 2688 wrote to memory of 2396	2688	omsecor.exe	32
PID 2688 wrote to memory of 2396	2688	omsecor.exe	32
PID 2688 wrote to memory of 2396	2688	omsecor.exe	32
PID 2688 wrote to memory of 2396	2688	omsecor.exe	32
PID 2396 wrote to memory of 1656	2396	omsecor.exe	33
PID 2396 wrote to memory of 1656	2396	omsecor.exe	33
PID 2396 wrote to memory of 1656	2396	omsecor.exe	33
PID 2396 wrote to memory of 1656	2396	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe
"C:\Users\Admin\AppData\Local\Temp\0b71dbb870aa8f4208b441bc9ba285d88f13abec2cb843a5224edc3782c81d73N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
aac9ca625d1e1854c69a097ce943ac25

SHA1
559309cb655c7e868d297d39623a3bf322f7e9c3

SHA256
24e74292c63f9cb21bdc34064ca1199dd2a464b69d462870f48992ff6c04218d

SHA512
be018a6c1d36056017bdb1ab9de3ce5a9d25fd41f0602373f58e5bd54531b951872d50141767d21602f8a8d0c2db776ae5630c2f25140ec877f7abb2fe789950

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
5b3c645b5839986e7717b42cd5b9b125

SHA1
b85167d9a346522e1d7d614ea7832ee449506210

SHA256
2c04a675d15972a6fc38bcc474aeecf80de0009399c6dc5622c09266b5a897e8

SHA512
5a449d63acf27bbad968a6fdbcda98a7f7da4ae27097f3b9677dfeaec79c5e00ece7bbd0498ff289bb555c60366ddad38296bb5dd631a065c260d015efdfca88

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
e1bac645f88877b0864a49d3256108b2

SHA1
45e5282caf40a440e7443b8320a1587e1b2427ea

SHA256
3f0e931ca65b18894818c43aeff705c54b186a25d39663028d2f5d90105401aa

SHA512
c9b4b26760c8bc88c0d78cc57c0c2a9469b82b441c77f62976e6b14b9d441fb6fba9ae9c73a1083df02ecc3dedab80c70cc55daaca89e261fdfe7ebf6b3f9d72

Download Submit

Analysis

Sharing