neconyd | 3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e

General

Target

3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
Size

76KB
MD5

a4bc7c45722cf2a4f9a6759b885bad6c
SHA1

a7c74bab40d8db95ad9fd9fb30dce5491f257e7f
SHA256

3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e
SHA512

17eb0bf4e9e3d13652c9fc0484f50a1477f840199b92715d24bf3b21be0bc670619aa64eff2a6f59fb48d25ae1f3d4abdb2fbc96acfaac247be1f9a91fcd30b1
SSDEEP

768:O2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW7:/bIvYvZEyFKF6N4yS+AQmZTl/5O7

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2876	omsecor.exe
2968	omsecor.exe
2032	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2872	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
2872	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
2876	omsecor.exe
2876	omsecor.exe
2968	omsecor.exe
2968	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2876	2872	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe	30
PID 2872 wrote to memory of 2876	2872	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe	30
PID 2872 wrote to memory of 2876	2872	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe	30
PID 2872 wrote to memory of 2876	2872	3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe	30
PID 2876 wrote to memory of 2968	2876	omsecor.exe	33
PID 2876 wrote to memory of 2968	2876	omsecor.exe	33
PID 2876 wrote to memory of 2968	2876	omsecor.exe	33
PID 2876 wrote to memory of 2968	2876	omsecor.exe	33
PID 2968 wrote to memory of 2032	2968	omsecor.exe	34
PID 2968 wrote to memory of 2032	2968	omsecor.exe	34
PID 2968 wrote to memory of 2032	2968	omsecor.exe	34
PID 2968 wrote to memory of 2032	2968	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
"C:\Users\Admin\AppData\Local\Temp\3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
46122e43b4433cb0ea06633c98ac7ea5

SHA1
22e486cc321ce6f18874d04f07f34d19b35af1a4

SHA256
4bc36e4c6b311e44edd9fe090ba76f499ad6e47c78d6feaead8da3df6be83804

SHA512
bc13903145438ff7824817b64f472c11378b64a0f9b53825da8f21afadcee895ca7348027c09a4aae7c3322a1ab7c1a9d3cd138a426144f0b92c7384901b431c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
0339db149beadf21e05483499ed5aff3

SHA1
aace77dce9a892c04d3221d57a2d81bd4b6300bc

SHA256
aa8e9a6a6435c7e6ab638dc56a87c53c8fed6f20510c96fcbdd490c1ba125e44

SHA512
d9ae87870af02f99359e997c399bb8ac0778ac2a6bc855101b9662410307036f1eb8eee53bbb2bff7043094012a50a750bcd2c559e04fb0f27676e10e21a03a4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
35dd46daceac9104689f64887ee586e1

SHA1
f8c476c80665d4cb65315c5bd832d6f7ce2fd2d7

SHA256
a2cdc5ed0087b6c2632e6434e9ed75c433e2e7fb015563531c8e709329523732

SHA512
08292a2d534fe2bc3d3fc96b617dad5304fa88a236a094132b7831bbcad196a8fadfd059d80011b56e9a07ff2812c80d8428b3f4aadca7a18ce79a13297dc03b

Download Submit

Analysis

Sharing