neconyd | 8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea

General

Target

8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe
Size

89KB
MD5

f48e5581996ea07ae99fe50c33d70e7c
SHA1

0b043c344c8357b147f9d6d3939df5a31ace50df
SHA256

8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea
SHA512

2365d344d905d85a93e08d322ff041b8b3f8db7f834b58b8bb26483b71b48bb5fb7d32c76b2d42b8c073a0b5105b596feec8fd867effb493a72a8846de1d93eb
SSDEEP

768:V2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:V2bIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1088	omsecor.exe
2532	omsecor.exe
2452	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2256	8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe
2256	8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe
1088	omsecor.exe
1088	omsecor.exe
2532	omsecor.exe
2532	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1088	2256	8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe	30
PID 2256 wrote to memory of 1088	2256	8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe	30
PID 2256 wrote to memory of 1088	2256	8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe	30
PID 2256 wrote to memory of 1088	2256	8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe	30
PID 1088 wrote to memory of 2532	1088	omsecor.exe	32
PID 1088 wrote to memory of 2532	1088	omsecor.exe	32
PID 1088 wrote to memory of 2532	1088	omsecor.exe	32
PID 1088 wrote to memory of 2532	1088	omsecor.exe	32
PID 2532 wrote to memory of 2452	2532	omsecor.exe	33
PID 2532 wrote to memory of 2452	2532	omsecor.exe	33
PID 2532 wrote to memory of 2452	2532	omsecor.exe	33
PID 2532 wrote to memory of 2452	2532	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe
"C:\Users\Admin\AppData\Local\Temp\8aaac2fed9e3a219d1790d3bde6ddbe2adf635d9d0ebd219484bca00e78a05ea.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
a4d0e21efb9ac04a7853877554cb63af

SHA1
08de5787b5d62cc2128e99c4b9fa9fb0cf708163

SHA256
245eaa36fb2933049a90119736832542ac683ddb43c5135476d0bd590c80ed25

SHA512
e4666edd86ecb267b9fa94fe504ab4b43b7f8e07ef64a490961d3963e25093825f4765468aa86cf11556dcd6ed50d949dfef6520059df4236fead6353e0ac94c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
34375609fba4c440a186bebe7c6c4115

SHA1
55e40b3ff2aff6e2eae7c7017c443a52d3c9a952

SHA256
ff2b692150592d2047e76bf7dc4086f7230d0b63f24e9ac0488870870fcba565

SHA512
901ec03db03a6c4022d1d737f279e62d431b5760e2022989df98a91439223c3d82d49382ed286d872cfcfe11dfa53aeea80ebe9b68f9b9767cf824e709b80b63

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
6e4499a5630212f0d331fc285eb34640

SHA1
20c034d2bef465f400f15e0edd2b9d7f82696ee4

SHA256
d08e35472eca628d417a5beaa404833c8004207f20320cc8dfbb27aa6ae52e51

SHA512
4c702cf0e872ce1a4ca66106b7034acc9a15b68bb5a4e165a035d225c6b986199ff6502171a495d0bd8262677c91825dbcbf6d60d67109e7faa69a542a8a8cbb

Download Submit

Analysis

Sharing