neconyd | e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a

General

Target

e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
Size

72KB
MD5

079298856becc586055d399ad5a5e2f4
SHA1

e71567fa6db0a2f8ec739e304282856306ce2327
SHA256

e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a
SHA512

2e9bb64ccf48e44e69520b838c16ae8df3e5b4ca2f9555a5753412392b3b2f650132c5769c7832132839ba5e80cd10c33ebacb1107f258b2a78eb273880f9449
SSDEEP

1536:yd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:CdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1964	omsecor.exe
2640	omsecor.exe
1048	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2236	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
2236	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
1964	omsecor.exe
1964	omsecor.exe
2640	omsecor.exe
2640	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1964	2236	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe	30
PID 2236 wrote to memory of 1964	2236	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe	30
PID 2236 wrote to memory of 1964	2236	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe	30
PID 2236 wrote to memory of 1964	2236	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe	30
PID 1964 wrote to memory of 2640	1964	omsecor.exe	33
PID 1964 wrote to memory of 2640	1964	omsecor.exe	33
PID 1964 wrote to memory of 2640	1964	omsecor.exe	33
PID 1964 wrote to memory of 2640	1964	omsecor.exe	33
PID 2640 wrote to memory of 1048	2640	omsecor.exe	34
PID 2640 wrote to memory of 1048	2640	omsecor.exe	34
PID 2640 wrote to memory of 1048	2640	omsecor.exe	34
PID 2640 wrote to memory of 1048	2640	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
"C:\Users\Admin\AppData\Local\Temp\e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
35cb006f3e89671f47c1279788e7f1a3

SHA1
c6e1c611841c6effe2f08124c733b6908e64feaf

SHA256
db7db8518c27a79ae88f6e50716df62bc8d2b0384992db60b607ee4a7a723719

SHA512
99cc00f9f1e79c2076da0c48136b6e192bcfda01b75a3d0cbe67be06960490646307883c22bbe785d863ebbf822a2cda5458d06e710808958ec23ee05f0b172f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
18786681d3d2f71297217f953a1d79c7

SHA1
d5733e8868141341083f20c30bf3ff09f5be5f7e

SHA256
48f6f64752b0ac1d49ffc06085bf6388d60599a25beb338e487e534d7402d43a

SHA512
6ea4dcb8becd53920cbc1de86e8344245bcc77770f75059ad387eeee204af010cd71a3dad25c87ca4b822666fc3eb3f42735e827be7d60ff0b880e719af956ae

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
8b90217cf8b26d872152d151518fb092

SHA1
0a3a62d10e27cb11b610fe13dd25e948d63e7dd7

SHA256
23477e114c02d06d1401fe923bb2769b4b5ec24bbf98724b795b6dc74053acd3

SHA512
86e6fab15ee5b15cf976aa2c7f27b5b4087ca4fcd2430b00e743010ce4dd8798ce75075d0138900e8d4d24c69b852623b7ddeb2ef271feac10e06eddedb366c2

Download Submit

Analysis

Sharing