neconyd | a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808

General

Target

a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe
Size

88KB
MD5

49eb23c4378f48dbc96a6f0435bf70a4
SHA1

e2cdd469339b7ba9461f71af8f8fdfeea06cf9ca
SHA256

a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808
SHA512

d16e8e7fd3382a000096dc04c3033c892aff2deb4ef652d89d1e9b99429c3e44eace35f6450a1d071ae6b35711a6fff38ca348897349a5b31410b289a78abe82
SSDEEP

1536:6d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5J:adseIOMEZEyFjEOFqTiQm5l/5J

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3068	omsecor.exe
2144	omsecor.exe
2868	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2640	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe
2640	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe
3068	omsecor.exe
3068	omsecor.exe
2144	omsecor.exe
2144	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3068	2640	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe	30
PID 2640 wrote to memory of 3068	2640	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe	30
PID 2640 wrote to memory of 3068	2640	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe	30
PID 2640 wrote to memory of 3068	2640	a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe	30
PID 3068 wrote to memory of 2144	3068	omsecor.exe	33
PID 3068 wrote to memory of 2144	3068	omsecor.exe	33
PID 3068 wrote to memory of 2144	3068	omsecor.exe	33
PID 3068 wrote to memory of 2144	3068	omsecor.exe	33
PID 2144 wrote to memory of 2868	2144	omsecor.exe	34
PID 2144 wrote to memory of 2868	2144	omsecor.exe	34
PID 2144 wrote to memory of 2868	2144	omsecor.exe	34
PID 2144 wrote to memory of 2868	2144	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe
"C:\Users\Admin\AppData\Local\Temp\a2ea6dee6803ca5b2ba07efa5a11df2776add39c344b176b3cd779cf22d00808.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
670d464fc9ffc7e9a01d89bc39d70984

SHA1
229e9b324110b7e874ca6bc4f41d520c8c3d39fb

SHA256
68a716e2eda79097b67c345d70634ecdf2d0a786004bd9db9a7efcd8d3403c5d

SHA512
010b2bba34d91d3bc1a31c757912112c1a0c13a840927001ebab09c8cbd5c7dde395cf7df127a2b8a574d79a7001c4b5ec203b275f14d30ca10b464309a95060

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2f8e6542697e6a93e968d2cf61f1882a

SHA1
d6b3c87245f1aa9a5a6c6e4ceae5132f30ba854d

SHA256
885b04bc70adff1b8318af68156170f63c35e0fbc37b2413f22238e4747cd749

SHA512
0df698027cb3bf842f578705835064aec6ec2bf2b5f1b7a0982bbd203c4a37c30db15f18735222a7cd32b7b179bb13ad3a5012a896636385d3d220e3ca47c291

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
b04e6025dc2f9167f10354295fa31d6b

SHA1
bfd6c38550aa0a46d979434f062d1ee9db682b77

SHA256
09b5c3a5e517e9691f661a06877f008f27464595c22dfec35f4d036c355316c5

SHA512
14fb5da734cae6b2a0e276f616edc0ebfd6444e31b6cf15bd12769ac1e05dbf97e4132355707c2442b59f4c06fccb339a096d902a9b2ffdfa88bf02d3c8ad7fd

Download Submit

Analysis

Sharing