neconyd | 2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237

General

Target

2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe
Size

61KB
MD5

bae8f8153cca690a28d4f9994d01e1cf
SHA1

dd7c227d54c3cd18f78f5311aaf60b63e278b97d
SHA256

2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237
SHA512

4730e80d64dac2ee3e6697560fbe51a8bbd823f89bd924bc66a02281bff91c451a05d30c313f31e4941f683fcabcde6918f96da0d7a76ccd67fc704048c19707
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5n:edseIOMEZEyFjEOFqTiQmUl/5n

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1868	omsecor.exe
2952	omsecor.exe
2632	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2556	2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe
2556	2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe
1868	omsecor.exe
1868	omsecor.exe
2952	omsecor.exe
2952	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1868	2556	2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe	31
PID 2556 wrote to memory of 1868	2556	2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe	31
PID 2556 wrote to memory of 1868	2556	2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe	31
PID 2556 wrote to memory of 1868	2556	2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe	31
PID 1868 wrote to memory of 2952	1868	omsecor.exe	34
PID 1868 wrote to memory of 2952	1868	omsecor.exe	34
PID 1868 wrote to memory of 2952	1868	omsecor.exe	34
PID 1868 wrote to memory of 2952	1868	omsecor.exe	34
PID 2952 wrote to memory of 2632	2952	omsecor.exe	35
PID 2952 wrote to memory of 2632	2952	omsecor.exe	35
PID 2952 wrote to memory of 2632	2952	omsecor.exe	35
PID 2952 wrote to memory of 2632	2952	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe
"C:\Users\Admin\AppData\Local\Temp\2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
b1095243c21a2d8437fa46cd1cbb2b15

SHA1
b80673cf7fd2ae0d6553c4678008d208244e5091

SHA256
6c7854c03c1ffb5c25ccaa0a275c245bc0527bde60d5d71784b0765840bd7e29

SHA512
f735b8b6b592b578b6de1053e215f5fb3061d448220f02124957d9d8e5f9d545723db860084794c550d6c8533b018ef0857377b7018fe513b3581d83cb0f5be6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
68ece3019398d5b2b7cae5c24826a687

SHA1
eed63fd349792d8c260edf268d3550f8e037eae4

SHA256
4ca866b48b08a79cd1fc3b1946b1922fb177a624a7974e5bc1d49845d07e860b

SHA512
c946f2263f6e0f05205d0b915d4807109f4b7eca7a7ed2e8096b9d18c78e46ca71ca1c246c426542b6ca75af2b6d6846ad4aaae6d2e34dd06f19da05420ed013

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
1e1e7545c60d577872efe6077d5193a6

SHA1
cfdaa18739bb32e643aec8e530f684d701ec7de3

SHA256
64d4eb66f7adeff9ea917772cffddab3ca2cda427bc6bfbb864c78256f551347

SHA512
c5a18921f4a002bd46fd5fdd31e194752d9bf430edb885836f91c45b25c5c033dd4a9583b22890cee584152aae88f0b944bef16f1b5a4f9131bc12c5c9fa8c93

Download Submit

Analysis

Sharing