neconyd | 89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5

General

Target

89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe
Size

61KB
MD5

017d109c5cc843b13731af066ada150c
SHA1

b8f708f3c21a4766ca1283de3ad9984e59ef8a03
SHA256

89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5
SHA512

51de8bd5811b92b86cb23de784627ac264fcbb32f0a6761ee9302c77e33e8efbc97ce111b9c61db51f0d078b5166304c62ec946ee806a20b9c1339ac3a4842cc
SSDEEP

1536:sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:UdseIOMEZEyFjEOFqTiQmil/5P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2244	omsecor.exe
1680	omsecor.exe
1364	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2112	89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe
2112	89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe
2244	omsecor.exe
2244	omsecor.exe
1680	omsecor.exe
1680	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2244	2112	89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe	30
PID 2112 wrote to memory of 2244	2112	89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe	30
PID 2112 wrote to memory of 2244	2112	89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe	30
PID 2112 wrote to memory of 2244	2112	89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe	30
PID 2244 wrote to memory of 1680	2244	omsecor.exe	33
PID 2244 wrote to memory of 1680	2244	omsecor.exe	33
PID 2244 wrote to memory of 1680	2244	omsecor.exe	33
PID 2244 wrote to memory of 1680	2244	omsecor.exe	33
PID 1680 wrote to memory of 1364	1680	omsecor.exe	34
PID 1680 wrote to memory of 1364	1680	omsecor.exe	34
PID 1680 wrote to memory of 1364	1680	omsecor.exe	34
PID 1680 wrote to memory of 1364	1680	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe
"C:\Users\Admin\AppData\Local\Temp\89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
72045e347e684a9f8ea8d54f23ef1423

SHA1
83b9a622fdd7c59d1f8db40a794c721ccbf690b5

SHA256
6f5a4fb2da77ee9325fcc3f3e81d51458abca28eee2e44707fa2fb102e0eca2c

SHA512
f8390f0f137af470effbada92b03620e19232cfc1a94c48058033a3063c476756daf1c30caea9e34a05bdaf4a0168ff5fd490c739a6b0cffb326d6b25d1b506f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
579fc5cdcde1918a668b39fa41a797de

SHA1
f9a868267007576e9b9df652bf56e7367baec4a4

SHA256
541abb86e2cf09468599036fd972fd700879a8b7b64db97dd4ec749bd9a3092a

SHA512
f422cf9c541d5880857bcd9081833e3077601956a5f6b4b74d1edc97096ee931d3167b4e693a48cd03425cfc2afe5944ba58889e305b26898456305b0fc501cb

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
8626221cdd5579d1451c9eba81ff89e7

SHA1
7ccfc3dcd1809129c3ee9982c0c791a621a46ec1

SHA256
952e16162ebeffdbee9c19c0cfe738be69fb4444022d6860825a4de6e1877aad

SHA512
bdac09b613f458f38b2a7f8cfd92dc12443ba93efd5bd21275290a2f39a606e2cd03456c31a6e96c55607bab18d928e1e3e28d3239e5db76200fcdee9604dc11

Download Submit

Analysis

Sharing