neconyd | e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7

General

Target

e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
Size

88KB
MD5

90da53acc55d7dc094402216130d6fb0
SHA1

6514620fb963d50a859dd627c29aaea2dd3c1017
SHA256

e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7
SHA512

379b1c0cb65f1b2656b995cd4e269dffb06cb6df5cb52bf0f6d5c55d309f68aac36740350968b1fe7afe71c245f2796f67f3e41a189c54aefe41d704745bddba
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:LdseIOMEZEyFjEOFqTiQm5l/5R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2760	omsecor.exe
2928	omsecor.exe
2748	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2692	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
2692	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
2760	omsecor.exe
2760	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2760	2692	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe	31
PID 2692 wrote to memory of 2760	2692	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe	31
PID 2692 wrote to memory of 2760	2692	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe	31
PID 2692 wrote to memory of 2760	2692	e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe	31
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe
"C:\Users\Admin\AppData\Local\Temp\e3f9e5ac4f5771921487ce28ac4c1d63fc12b5460feb6afd65d5d9850a1dfdf7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
81850f2b6f195e787c5e5aa4b659e592

SHA1
f055e0f20f00cdb552db09c769492c1cef33b4cf

SHA256
f418bd53decde76f37db315fb74d326c0bc48caeb03918abfdc1edaa66133b88

SHA512
c50126d563518c0d2661bb5a2851957bdbe1309a0f5190c148aff11e804e1212914c510813126e77efdadae22a296126035ed28ba60d1dda3ea1f7d86c96e53d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
4111321b35a29d1dccedc35e539c0e92

SHA1
4fc40a578108e456af40b4612b9a5fc92446f0bc

SHA256
1ca2d99cf7e5f549426479ea9780b3013ad61f876a10258d95cd65e48d117a28

SHA512
85914cf7f0c3604463d3a14065817158114045d6dfde0a887ac3be35d35e4ceae5678cebacc5f11809e26e7587fe914a8acf60730e6b4db2e2542ca42d606824

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
0a3d7fe47d741c7d54cde1eec698ce06

SHA1
8c2fcf0bf67fc2670700973a7aa2213e66851a1c

SHA256
15a18a0457b09e11db69dcabe0ecdf8f8b19fa474634c3b0286efeedbbbc4d87

SHA512
1359ed3e629f92b22049ccda8d1f3783df55fcf7994867ed803c90422569ea485481c700c74427c4b713aa60abae0b7d00024cdfa084ab433bc0a24e1568c8aa

Download Submit

Analysis

Sharing