neconyd | e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a

General

Target

e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
Size

72KB
MD5

079298856becc586055d399ad5a5e2f4
SHA1

e71567fa6db0a2f8ec739e304282856306ce2327
SHA256

e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a
SHA512

2e9bb64ccf48e44e69520b838c16ae8df3e5b4ca2f9555a5753412392b3b2f650132c5769c7832132839ba5e80cd10c33ebacb1107f258b2a78eb273880f9449
SSDEEP

1536:yd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:CdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1752	omsecor.exe
2932	omsecor.exe
2792	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1944	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
1944	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
1752	omsecor.exe
1752	omsecor.exe
2932	omsecor.exe
2932	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1752	1944	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe	31
PID 1944 wrote to memory of 1752	1944	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe	31
PID 1944 wrote to memory of 1752	1944	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe	31
PID 1944 wrote to memory of 1752	1944	e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe	31
PID 1752 wrote to memory of 2932	1752	omsecor.exe	34
PID 1752 wrote to memory of 2932	1752	omsecor.exe	34
PID 1752 wrote to memory of 2932	1752	omsecor.exe	34
PID 1752 wrote to memory of 2932	1752	omsecor.exe	34
PID 2932 wrote to memory of 2792	2932	omsecor.exe	35
PID 2932 wrote to memory of 2792	2932	omsecor.exe	35
PID 2932 wrote to memory of 2792	2932	omsecor.exe	35
PID 2932 wrote to memory of 2792	2932	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe
"C:\Users\Admin\AppData\Local\Temp\e97a3f55c3259cd7903203982abb86e6d3dbabf4085737c7cbedc610def4402a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
35cb006f3e89671f47c1279788e7f1a3

SHA1
c6e1c611841c6effe2f08124c733b6908e64feaf

SHA256
db7db8518c27a79ae88f6e50716df62bc8d2b0384992db60b607ee4a7a723719

SHA512
99cc00f9f1e79c2076da0c48136b6e192bcfda01b75a3d0cbe67be06960490646307883c22bbe785d863ebbf822a2cda5458d06e710808958ec23ee05f0b172f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
80b7a15abf9f3541600ee0ba4ba96048

SHA1
741e1271697d59c5ddbe37023ba750fbb12702e6

SHA256
cbaaf80152305baf581b91e3c9af963ab951ccca5b700d276cf372e554f50dc0

SHA512
37aeff623ef300843d5e02e7aff552bada3fcc5dbfedf831a2daca55a51d7adc08102997a77eae072264e1a62d8f22f96cea96193edaa30ec9b89b469fc2f6fa

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
863e256f91b81ac76fa57eeab46fd673

SHA1
70ba8ee1a485d079c92fb848a08ad8fd48bf03f0

SHA256
fa50c320a7e071aba9be3411ada0d5865b8d81c084208c180e93ed46db404ec6

SHA512
3cc6f13c1fcf4abc408214bddd23a25abd27638cb06b8e6e99a2a8897fdf8d7166a45fad9b1c9fa360028899c26babe1be04b950675161fb52321cae9936abe8

Download Submit

Analysis

Sharing