neconyd | 088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908

General

Target

088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe
Size

76KB
MD5

f258e3204bbb59c6cf0d5cd73e05df4b
SHA1

bf6d6beb5dc195a2f028b834d798f1035159dcdc
SHA256

088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908
SHA512

8117b42d31c0442addbd70b5d7125ec4354e51e3013eba1ea658fe9769e86c3a7e674c7de5aa54a9515ca6fed8f938773ee1f7e94b98dc1c9a7f4a52d5b59f59
SSDEEP

768:AMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWD:AbIvYvZEyFKF6N4yS+AQmZTl/5OD

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2972	omsecor.exe
2156	omsecor.exe
2884	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2648	088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe
2648	088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe
2972	omsecor.exe
2972	omsecor.exe
2156	omsecor.exe
2156	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2972	2648	088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe	30
PID 2648 wrote to memory of 2972	2648	088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe	30
PID 2648 wrote to memory of 2972	2648	088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe	30
PID 2648 wrote to memory of 2972	2648	088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe	30
PID 2972 wrote to memory of 2156	2972	omsecor.exe	32
PID 2972 wrote to memory of 2156	2972	omsecor.exe	32
PID 2972 wrote to memory of 2156	2972	omsecor.exe	32
PID 2972 wrote to memory of 2156	2972	omsecor.exe	32
PID 2156 wrote to memory of 2884	2156	omsecor.exe	33
PID 2156 wrote to memory of 2884	2156	omsecor.exe	33
PID 2156 wrote to memory of 2884	2156	omsecor.exe	33
PID 2156 wrote to memory of 2884	2156	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe
"C:\Users\Admin\AppData\Local\Temp\088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
9c4f25a36015f0679d067e532fe07e75

SHA1
b04734f9f29c84dbf65ebd96d6dc20d89fd45093

SHA256
6e6c6c232398e7f5998bf367705409ced9a4e1dc53ae2b239f3d9dc0fb8231fd

SHA512
383e6d679a98824e6bf695fee41470bc45c0df24afa2811e0c78831b87182be7dd9701c4b2a4f7cdf44a37a93e00b0304f6e94221d5cbabe6d242b0d7bcd0b5e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
11066a6aac5147e2fce8d138fa4e79bd

SHA1
97f043de83f085d730098ad1b0b537b3bb7a0a76

SHA256
3dfe6b36381292daa359783af7eabc1d722360df9f43eb76177dcca97cdaf22b

SHA512
079378725f077aa62537c70484f6f70427bada879021c704b910c53cfaecfe477df2425e40fced25ff3917d462ad137e47e88a22d83d1e170f06f96ff3b71be3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
4d4f72665ce4974d334cf50b8da4c8c7

SHA1
3f50db84b9814b38c2e53b958eb90449d7ac030f

SHA256
c6f06b952064766de5e49ef5aad7fd4f7c574643dbf4c5fff9fbdf43cc699fce

SHA512
a620b0b77bd2298127b7b32649397584965b54690421b8934e21d7184f57e3206b5b7bc660db906cf729f74ba57b2014b5f66e24556fee058e931555bbd7847c

Download Submit

Analysis

Sharing