neconyd | 03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24

General

Target

03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe
Size

89KB
MD5

61dcf1f43ad6ca9743db5759ca8a0880
SHA1

a6107086850b3b2885a3682acebda7329c4289f7
SHA256

03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24
SHA512

6c1d73723c14092e3879186c4c2d0f2f235033eee9bc039eff70857170cb50e8f14464859a5a28bb2da1d8c4199a577efb35c1adf10f0e5301039b89a8b49dfa
SSDEEP

768:NMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:NbIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2976	omsecor.exe
2784	omsecor.exe
2884	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2856	03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe
2856	03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe
2976	omsecor.exe
2976	omsecor.exe
2784	omsecor.exe
2784	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2976	2856	03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe	31
PID 2856 wrote to memory of 2976	2856	03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe	31
PID 2856 wrote to memory of 2976	2856	03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe	31
PID 2856 wrote to memory of 2976	2856	03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe	31
PID 2976 wrote to memory of 2784	2976	omsecor.exe	34
PID 2976 wrote to memory of 2784	2976	omsecor.exe	34
PID 2976 wrote to memory of 2784	2976	omsecor.exe	34
PID 2976 wrote to memory of 2784	2976	omsecor.exe	34
PID 2784 wrote to memory of 2884	2784	omsecor.exe	35
PID 2784 wrote to memory of 2884	2784	omsecor.exe	35
PID 2784 wrote to memory of 2884	2784	omsecor.exe	35
PID 2784 wrote to memory of 2884	2784	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe
"C:\Users\Admin\AppData\Local\Temp\03a512e79ab5e13215ffd6314bfec1cffa571fc5501744628c9c6bc823a01b24N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
e06fe89b92246dea97e498dbd4609a7e

SHA1
281a5a6dc55bc7db435c152c666771fbdd657725

SHA256
d04e989516eae095cce5107db342ec55449a294619a0c3915187c659763e50e8

SHA512
1761539138ca93273f9aae6c35f71d67ac8d38abb68c5b4268b0075bf0379fbc437471fa07e94bc327961e2a7470e5ec0b658d2fdfd92dc4d474a6ed3bd7fe0a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
dbea0c4a023cfcf5b9d366c049a824f2

SHA1
f2b0a0fb7d0f6deb8b896a4e05a050afd0d34cb6

SHA256
339ddf44b59e237b5641d9a1f47efd2caf85474e4fbc60693e460b9b9fefbf86

SHA512
f083f0164bb098c0ef70c7f2946cdc7a0872ffd3fe6a2267bee6968cf0479d90eee594d9fbe2278c65cb302ffe793c82bd0f6a5e679dd4b496b3cfb91e83915d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
c6549b4b5e5f11b9ad3df336e305e75b

SHA1
9567ad466774c9f1f450a54522eb5bd81ecc587b

SHA256
3379d3a083c1f842cd137803161c7841ee0dee4e628d002b4b45d732a723b3fa

SHA512
1dd30cbd9450fde1a5960ee63d94314119c36fdccbbe78fbb548282edcf64c26c35ad15a538f78dd5f489b724e9bffd4ab28be1f3edb9379821438ff0188fea8

Download Submit

Analysis

Sharing