neconyd | 0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2

General

Target

0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe
Size

80KB
MD5

fd999c88cbe8851301b5aada002716c0
SHA1

4020bb765cad3fc7bb1daa3556ae542e5d7607b6
SHA256

0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2
SHA512

67ce116312bf5258f719f9a9a6cf95de99276516d9e55165d9e27f43fc88f54a7901397ac6f92543669c0ac0034809fd169236194df25b8e9d341a95e20466a6
SSDEEP

768:tfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAe:tfbIvYvZEyFKF6N4yS+AQmZTl/5W

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2272	omsecor.exe
2640	omsecor.exe
2660	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2080	0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe
2080	0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe
2272	omsecor.exe
2272	omsecor.exe
2640	omsecor.exe
2640	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2272	2080	0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe	30
PID 2080 wrote to memory of 2272	2080	0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe	30
PID 2080 wrote to memory of 2272	2080	0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe	30
PID 2080 wrote to memory of 2272	2080	0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe	30
PID 2272 wrote to memory of 2640	2272	omsecor.exe	33
PID 2272 wrote to memory of 2640	2272	omsecor.exe	33
PID 2272 wrote to memory of 2640	2272	omsecor.exe	33
PID 2272 wrote to memory of 2640	2272	omsecor.exe	33
PID 2640 wrote to memory of 2660	2640	omsecor.exe	34
PID 2640 wrote to memory of 2660	2640	omsecor.exe	34
PID 2640 wrote to memory of 2660	2640	omsecor.exe	34
PID 2640 wrote to memory of 2660	2640	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe
"C:\Users\Admin\AppData\Local\Temp\0a81b3ecc4b2173d77740b92c8fe6b0d8e18904bf19fe6bf34b5392e5c35ffc2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
97d1260b6f3c783ff8605fe021676828

SHA1
76b32bb33ee3c44506d9fa4d72e6bb2ce8253b2b

SHA256
de5afdaafd570259f1a47ac2ee1b83d066d7bb2c49ef818b19569cd7c24926bb

SHA512
458c2b8c68921d3e8e3c8ed28596760529be4571a0f94766139637414d2f3fae34d0214b1f9306eb0ecf9ef114c9b997104e98b997ca0da645303293e1848847

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
691d02d74691cad317b397fdcb4da9d4

SHA1
89fa82edd43de0f809b374b498ca4d5d847bccf0

SHA256
3e87362c34368adf66f6d4e69961b9951b6e10564b0d8daa23b77e059aea58b8

SHA512
40a98ad6b1f674af7b65ac7c8587c129f68d8e1d8e5a886a61dd30f4b9cbac0ddeeba3d162146dab90cec48d5060301a34ceccf6202a7fc2dd7eb190ac38daa9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
ad00df88ca2b34bd66dfa8e0437d09ab

SHA1
425d183db4cfb58b5127d5c7aafcce7b83cb75e5

SHA256
05907a17321b2869defb52b0fc89c7e680da60d931feef6efd4fe8abb1134232

SHA512
2e9c63dc7829ebc1e37a0f76c3b41155734091444ba378979ca0828435f13c704782681ae2e9692b6c37960b7adc2e137d09655ca9ba3ff748fd0a344002baab

Download Submit

Analysis

Sharing