neconyd | 2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3

General

Target

2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe
Size

61KB
MD5

78bbed686fcb6e7e69a4a260ccbaf890
SHA1

252b382498bac37f7e877f1cee13ba0c456bb75e
SHA256

2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3
SHA512

ecb4509aa420776c0d00b43a9a4fc53c5e3206aa44263038c8ad070e6692f74703f7ac6fabcef14ca10e7d0237c9d300a996a6d5b67e70509e54c41d2de7bc41
SSDEEP

1536:ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:NdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2816	omsecor.exe
1408	omsecor.exe
1412	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
540	2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe
540	2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe
2816	omsecor.exe
2816	omsecor.exe
1408	omsecor.exe
1408	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2816	540	2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe	31
PID 540 wrote to memory of 2816	540	2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe	31
PID 540 wrote to memory of 2816	540	2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe	31
PID 540 wrote to memory of 2816	540	2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe	31
PID 2816 wrote to memory of 1408	2816	omsecor.exe	33
PID 2816 wrote to memory of 1408	2816	omsecor.exe	33
PID 2816 wrote to memory of 1408	2816	omsecor.exe	33
PID 2816 wrote to memory of 1408	2816	omsecor.exe	33
PID 1408 wrote to memory of 1412	1408	omsecor.exe	34
PID 1408 wrote to memory of 1412	1408	omsecor.exe	34
PID 1408 wrote to memory of 1412	1408	omsecor.exe	34
PID 1408 wrote to memory of 1412	1408	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe
"C:\Users\Admin\AppData\Local\Temp\2a83b0d1152365d0fd981deae59c384e950119abd9f53bb2d854c6628e8e94a3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4325126f6d792ff83075f7c6980d5813

SHA1
6b113c9db65e88c639b211bc811c4bfa3e4b2099

SHA256
2c638ab8ac8a2a2e7a1e6b054cc20f8b78138ed1ad4920419cf36de61966344b

SHA512
12d14351abff1d83d82beb36f7a1f8641711c3adf53bd7d11e2f2931ba132ac6d24705a9147dc842c9c15be288a30096be975f356687ce1fb3ee16d339e6842c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e6a366bfe5e16ce4eca8d64b2e439d73

SHA1
2fbaf42166c98ce23e8e188a9239936c8434df9b

SHA256
8bf2682c69204fd6e29f110d2d3267d62b90b95318e09968ddbc46a3752507f7

SHA512
a76e5cb86f2ffea45f9237825cfbebd534418e5b299b2ad4880d155e543c4a64a41b3c282c92eb02c011725b34f4854f2f8ac2d686b26109481255fcab1410c4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
2dcc84f991c1a9c0768432c8006b9ec5

SHA1
aefb424e9a7658acc8b5be89b94d58f6f4ae08f1

SHA256
bb9839e15512e2b82186470bf512447b3675cc27ed23afd324b8a2c796b095c9

SHA512
555832c2444dd1f6f8d6bfde05161bcbe3a03a5963aee6722b4b8a313a90fe8a1ad6c0f7d96d9ae9369ba761e5f06b7fe82b1ef58c01d91e7d4cf17372df45aa

Download Submit

Analysis

Sharing