neconyd | 0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3

General

Target

0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe
Size

61KB
MD5

77245a4a45c944b85682193addf28ddd
SHA1

6c410ecb4203d6d2641dc2dd4cf8d745a6830379
SHA256

0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3
SHA512

2810bb8812799cad2865df9403b6b55323cf2c56417caa52493ccef073ef3dbf94281fda33147d3b6101bb8b96cc9383899fdbcb6c74435a9a02c47f0212a4f8
SSDEEP

1536:ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZCl/5v:NdseIOMEZEyFjEOFqTiQmYl/5v

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3040	omsecor.exe
2920	omsecor.exe
2744	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1344	0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe
1344	0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe
3040	omsecor.exe
3040	omsecor.exe
2920	omsecor.exe
2920	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3040	1344	0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe	28
PID 1344 wrote to memory of 3040	1344	0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe	28
PID 1344 wrote to memory of 3040	1344	0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe	28
PID 1344 wrote to memory of 3040	1344	0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe	28
PID 3040 wrote to memory of 2920	3040	omsecor.exe	32
PID 3040 wrote to memory of 2920	3040	omsecor.exe	32
PID 3040 wrote to memory of 2920	3040	omsecor.exe	32
PID 3040 wrote to memory of 2920	3040	omsecor.exe	32
PID 2920 wrote to memory of 2744	2920	omsecor.exe	33
PID 2920 wrote to memory of 2744	2920	omsecor.exe	33
PID 2920 wrote to memory of 2744	2920	omsecor.exe	33
PID 2920 wrote to memory of 2744	2920	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe
"C:\Users\Admin\AppData\Local\Temp\0ebc48f140e7a5592edc30985957af8713d3597df962beddfff33bf52bee35b3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
d069dbb2f4c452f4baccbde3cb3360e3

SHA1
56beebe557c4d273e07bc67c65084da352bc4a26

SHA256
ffa5cc20dab7c598a3fa664c3f543d0a9b454d974c20dfc8df715e5e1a186bed

SHA512
5765da60fd1b1b4d36d64d34abcef777c662ae3930125e2fc164b395ed5b5debcb03ca4285d6b460a906c577204cd6c062028325077f8c878767ae7307d731a3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
03ac50d95e491c87f37571c7e10939a7

SHA1
ddf4935c0694d22848c3773b31e0ea15f6d905bb

SHA256
021ee56e08c510c8549417142c7a96120d8d199aef450e8b3e66023fdbf8ef4b

SHA512
d36b6236016f5215d1dde29f2bded6fa7b67b1b3af19e5a6f94e40b3722d6fec7f10e76084b4047660b8f4a4a6e5c6dae1beeafce40e9cc2d47e1ae3b45cd2ea

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
66f5031fb8a167836ed2a097c5959bbb

SHA1
1fe09e378fb3d39fc4a800ec85e183fca61f4821

SHA256
4d02f87f239fe191d21735965310253c05d62cc1088db7ac3eddeaa6c80e98ed

SHA512
d24923c9e9e201ca658253c88618fcc9d87f9363a6bde279197a5ed222c653508658d2eba399f48848afc34bfb4c45ff8fc146d854fe0d0be4125a87b1627733

Download Submit

Analysis

Sharing