neconyd | 0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3

General

Target

0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe
Size

64KB
MD5

c44f8b816073ca9d49f324ec821409a5
SHA1

b9c1b7c3558f2614ddc93a797dedf05c4ff02a83
SHA256

0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3
SHA512

3ea7a4174499d147ded7218caa02c7e07a898bd56729ff19d758ba5b63129e2178d4bd0ac0b0ac9b947bbbac87a8c9a839ba5b3e5e7299ffdc9a9519bd0ff83b
SSDEEP

768:bMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAv:bbIvYvZEyFKF6N4yS+AQmZcl/5H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1832	omsecor.exe
2904	omsecor.exe
2804	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1624	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe
1624	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe
1832	omsecor.exe
1832	omsecor.exe
2904	omsecor.exe
2904	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1832	1624	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe	31
PID 1624 wrote to memory of 1832	1624	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe	31
PID 1624 wrote to memory of 1832	1624	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe	31
PID 1624 wrote to memory of 1832	1624	0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe	31
PID 1832 wrote to memory of 2904	1832	omsecor.exe	34
PID 1832 wrote to memory of 2904	1832	omsecor.exe	34
PID 1832 wrote to memory of 2904	1832	omsecor.exe	34
PID 1832 wrote to memory of 2904	1832	omsecor.exe	34
PID 2904 wrote to memory of 2804	2904	omsecor.exe	35
PID 2904 wrote to memory of 2804	2904	omsecor.exe	35
PID 2904 wrote to memory of 2804	2904	omsecor.exe	35
PID 2904 wrote to memory of 2804	2904	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe
"C:\Users\Admin\AppData\Local\Temp\0c60739d64182b0f0941ab1bde364d2a8ae938e3154373cb96d11a72f664cff3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
c4554e7d7f7f89110e762dae27d70026

SHA1
4dca5d1ae45bc3777c1c9401682dff7978d76fc0

SHA256
526f738eb95f4652d279cbbe321db637bfad71ed0e03873594863283a630bab9

SHA512
5c6572b894f1fb5846f47d249e5608740b13e1e25fca9903d53795b4ca3da56be7b554dd29303782e14dd6f06a364a0976d9ecccbbd1e81c692a0fc78c34f605

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
9eb8c5e012218152a1dbca9fe39e2463

SHA1
2810f85a53291aabb51f533e375c60a885806917

SHA256
f7758f80e8d2b5b2d6d7ddc3bc44026e86dfcf837fc3db6a4ccbf977039a329b

SHA512
029439e1190c65c570d4e942eff5b2198a3d22e2496c78bec25cc88938e138e81dabda3936e098c99e09d8e1ae23a97a61c6ef996c1fc69c448fe033423db721

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
47868fc56de185e672175da7352042c6

SHA1
503fb460708ce6186a4af12889d04e109eb452bc

SHA256
cd6c044c023886332d0d7ed13abef5d253ec3449dbb0d2d4758685393b6414d3

SHA512
5859c305eaa776412d110804e823ff2f55db438f6e650af955fef7b821c53abc2adb6d68b0bb84cae7258d16d667bf575d4095b48872e23d93efe95cb239c608

Download Submit

Analysis

Sharing