neconyd | 8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2

General

Target

8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe
Size

80KB
MD5

fd4b4b9bf0ea8788ce2983a134672113
SHA1

75bf364ed59ea1167ee302cdf85453d91ab963a3
SHA256

8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2
SHA512

98cd5d2bc87901673b1e56fdec2d5c82a552c9f91e2b26d62059b740231174dc7e74bd8ada7592cd8103ca01da3a60862b22dd9b6c04d43a41c4ef7dd9c5b211
SSDEEP

768:6fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:6fbIvYvZEyFKF6N4yS+AQmZTl/5S

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2840	omsecor.exe
2012	omsecor.exe
2816	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2936	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe
2936	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe
2840	omsecor.exe
2840	omsecor.exe
2012	omsecor.exe
2012	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2840	2936	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe	30
PID 2936 wrote to memory of 2840	2936	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe	30
PID 2936 wrote to memory of 2840	2936	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe	30
PID 2936 wrote to memory of 2840	2936	8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe	30
PID 2840 wrote to memory of 2012	2840	omsecor.exe	32
PID 2840 wrote to memory of 2012	2840	omsecor.exe	32
PID 2840 wrote to memory of 2012	2840	omsecor.exe	32
PID 2840 wrote to memory of 2012	2840	omsecor.exe	32
PID 2012 wrote to memory of 2816	2012	omsecor.exe	33
PID 2012 wrote to memory of 2816	2012	omsecor.exe	33
PID 2012 wrote to memory of 2816	2012	omsecor.exe	33
PID 2012 wrote to memory of 2816	2012	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe
"C:\Users\Admin\AppData\Local\Temp\8de6f9b770a5b12f471a927ab8d73199b1469221a8d73a42b29c2bd4bcba7ae2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
d3cddd2cea949afa68df39879b0f90c1

SHA1
0f4af3965755d007025531e2cebf8c5061f70722

SHA256
0d0d65d631d44b56b238b2979cd40f2e1fc79673f2086ddd17586f66dceb4797

SHA512
c3834dd7384dffcc59c119c6634c1d9d3e947a1ddc3e5045184a625b6869c148d65dc82871d97822ee64883bc7b9380e5c9353f73ee3ee364d45ccaf05c9c981

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
a3261508b8747a40b99648974c3fdfe9

SHA1
4c11303da8c470ae8739844c3ba1aa7503cffce6

SHA256
ea1783f3385a6d9216144366851e2a5ec2a0b233cb3e2265e67f091dc5609bd8

SHA512
279bf33e04e6ca7eca44609636950d1b6e17a9c4698806df4e6ac5547197f42651760e00807e85c44f5c194f16780434716401d28ab1959125121d8c1179b8ce

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
3bfbd5c96049a80ae0a6fe393106e1fb

SHA1
ecbed9eb5ee925420c86bfe9736abc27367ded21

SHA256
defa167298686d72180116f9ce67a68d7283442d6303422f09b1ee877651494f

SHA512
026b9da21d67732d1cc4b297d978b3d7a144d6e07bd728bcd8186704df81bc06d4a3ae620eca4f391e6138496ce3631a4b875ff6e908d18e53c2389f514ae052

Download Submit

Analysis

Sharing