neconyd | 9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac

General

Target

9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe
Size

80KB
MD5

f9325388a69fb1539b137050399e7374
SHA1

21d38c2b551e09931b4cf3c7bc6b0861718ef9dd
SHA256

9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac
SHA512

171cb1b8b6eeec37365300051b298adab740f320e5c32089054c1c07a9f1590e7fec6bbe2615096b5c248486ffc474b8f6407157dec5c3840853fc44b39d3ae2
SSDEEP

1536:jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzx:DdseIOMEZEyFjEOFqTiQmOl/5xPvwd

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2132	omsecor.exe
672	omsecor.exe
1028	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2156	9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe
2156	9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe
2132	omsecor.exe
2132	omsecor.exe
672	omsecor.exe
672	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2132	2156	9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe	30
PID 2156 wrote to memory of 2132	2156	9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe	30
PID 2156 wrote to memory of 2132	2156	9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe	30
PID 2156 wrote to memory of 2132	2156	9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe	30
PID 2132 wrote to memory of 672	2132	omsecor.exe	33
PID 2132 wrote to memory of 672	2132	omsecor.exe	33
PID 2132 wrote to memory of 672	2132	omsecor.exe	33
PID 2132 wrote to memory of 672	2132	omsecor.exe	33
PID 672 wrote to memory of 1028	672	omsecor.exe	34
PID 672 wrote to memory of 1028	672	omsecor.exe	34
PID 672 wrote to memory of 1028	672	omsecor.exe	34
PID 672 wrote to memory of 1028	672	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe
"C:\Users\Admin\AppData\Local\Temp\9aac0ca3eaf712185a77ca4f4c2deb5f7dab89351d8d86fdd657cc2b845681ac.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
074a912894069109832fde6d933cf964

SHA1
fd937f8bd2345eba42d96c69436f92227a42936b

SHA256
abfa6a1cdee3cb2bd15640f901f6c286c0c921675b4c0f8dace02d5f7873f539

SHA512
31b51ddf8a2fe3996a8424e25bc62c9d3e64bbd7265d9aedb55c5b8360a45e347f32c5f8acc8ef1afbc50ebebf3e632c6eb57d8a941e7b3a79ec50add41b758c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
3ebe1df0d621e3a09b45916929b9afcf

SHA1
4d9427185b6435e619d1d31192b535df9e079945

SHA256
303d58516e0ab24d2fe8ed1a5cc9dc418249f8e45222b951c856cdaadada09a6

SHA512
ef86f502ff845f200b8623e647284dd8f164bcbae53dd52ccf585cd6ca554d47a318924863c19682ebca556ec43d47df9f4037aa136acabe2ae7097cd6595f1c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
dfb6bbc5426eb5b7fece86e4efb8d07d

SHA1
26722db1438132e8980717bad4c251d75cf609ab

SHA256
a19e35606a55384e918a335b6006dbe6efcaecd24c65cb0152259a194782d910

SHA512
ef48ab22186ca042cfb3c5eee319ddf8f93acbbb3a5af8b5aaa5842d64e0055c876937bd23632f0af27558ff1c2f1bf33a50b63a8bfb9791854145ec3e1d2ee3

Download Submit

Analysis

Sharing