neconyd | 0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db

General

Target

0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe
Size

64KB
MD5

2a42938dbcea7415ecc256d45ff9ecc4
SHA1

6db8338d26b5962e40ecb766fff88fed29c7ec2e
SHA256

0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db
SHA512

a746c4f02fb8889edefe5a9834c9db625c09f13902b8683e3883fa0c30d908f3bb6212defbcadeae001ea46cd1ceb5e647aa74f6a881d09131949f028765e427
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:4bIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2968	omsecor.exe
912	omsecor.exe
1692	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2952	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe
2952	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe
2968	omsecor.exe
2968	omsecor.exe
912	omsecor.exe
912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2968	2952	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe	30
PID 2952 wrote to memory of 2968	2952	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe	30
PID 2952 wrote to memory of 2968	2952	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe	30
PID 2952 wrote to memory of 2968	2952	0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe	30
PID 2968 wrote to memory of 912	2968	omsecor.exe	33
PID 2968 wrote to memory of 912	2968	omsecor.exe	33
PID 2968 wrote to memory of 912	2968	omsecor.exe	33
PID 2968 wrote to memory of 912	2968	omsecor.exe	33
PID 912 wrote to memory of 1692	912	omsecor.exe	34
PID 912 wrote to memory of 1692	912	omsecor.exe	34
PID 912 wrote to memory of 1692	912	omsecor.exe	34
PID 912 wrote to memory of 1692	912	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe
"C:\Users\Admin\AppData\Local\Temp\0a97530a77e2e5f10dc1396c72f89d415b64787d78b7f1e0fc4e099c77ebc3db.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
c2bddf8a957f407524531cf9671ae96a

SHA1
5ca68420340a52528e3d8d6ad39c5d5e7ecaf602

SHA256
8e00aeba75275bb35d1b78c01c80a22178d0bce99df49382ff23e42d0264c5ad

SHA512
ecc59d365c6ff5a1275456b5111a1c7406c72711d10ade300146000fc852cce987a90a8d50e34e110b2bf04e0b71cc7ac32c09455225b6e92676f35b1cbb52ec

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
9ccc73ad1f6d02d13e0ea158cfc7b835

SHA1
ccf92f5eb26cb8f68ca36fd34bd089b267b37130

SHA256
d9da8519b00bc5d869996fdf4b0e98761a0db2a45f1cfd9085ff8a6cf0ef468b

SHA512
75b56f656b2cb4ab5e3093253e7020d124c7ad25d0151a9dd0d21582fefec26fa07b6e11b822571b2e547fe9bd6dedc4f0940f538166f5480255682a15ef572e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
29b5db1dc95db1eb6118459dff4a2b18

SHA1
c0f5b471e68ef077be76ed7e64855394692c5015

SHA256
cd2e4b58cbd6e646b7beafa23e85bbe07e37aede6b229a35f839a99047aa1008

SHA512
69387113977c0dc537ad7ecf96b32d142f3764ae5e757dd52fa08ddc68a1e13faa2540efc8a3a8b388dce31dbea638e0891d49b45cb0229f249f1155291cd64a

Download Submit

Analysis

Sharing