neconyd | a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943d

General

Target

a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe
Size

72KB
MD5

e29e0c6b9f301f484ca794d6bc375030
SHA1

076234eafa6868e095ad2b5637b5a1efbe553fd8
SHA256

a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943d
SHA512

95e115f23f54b86cbf98c8b6a67486d8ccf53233f76fea06dfddb00b4a7bcf57879498edad4968f017ca4c9e9142a8825dd7e5b74eb9fc834991fdcf5fda821f
SSDEEP

1536:vd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211F:HdseIOMEZEyFjEOFqTiQm5l/5211F

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2224	omsecor.exe
840	omsecor.exe
2848	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2184	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe
2184	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe
2224	omsecor.exe
2224	omsecor.exe
840	omsecor.exe
840	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2224	2184	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe	30
PID 2184 wrote to memory of 2224	2184	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe	30
PID 2184 wrote to memory of 2224	2184	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe	30
PID 2184 wrote to memory of 2224	2184	a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe	30
PID 2224 wrote to memory of 840	2224	omsecor.exe	33
PID 2224 wrote to memory of 840	2224	omsecor.exe	33
PID 2224 wrote to memory of 840	2224	omsecor.exe	33
PID 2224 wrote to memory of 840	2224	omsecor.exe	33
PID 840 wrote to memory of 2848	840	omsecor.exe	34
PID 840 wrote to memory of 2848	840	omsecor.exe	34
PID 840 wrote to memory of 2848	840	omsecor.exe	34
PID 840 wrote to memory of 2848	840	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe
"C:\Users\Admin\AppData\Local\Temp\a20e97995ea7d2dcf4b33cfdd2d62e0b30f38e1924545a86452cc1ac32be943dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
de9931ee991f52301fad6bdc198f5af2

SHA1
a6d09a05f86e8ee01aab717ad106d3c5fed2f6cf

SHA256
3f6db1d473113d7209b65f8796ac89c6adfda20b1249733a65b5c12ea180953c

SHA512
cb1bccdb74c17f04141490a677e3416a7406e8d26570235d9603c5fbbad7f90cf6d4e92151f1aff7cedf8fde513a7ba7498764b5fae7f23006dbd70390b27735

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
925277aeea72a909e6c7ebd5af58e97a

SHA1
dd098043ccfcd9b76bf449b55f5ea2716f964f6f

SHA256
29bdad15d09264dbef6826b1e41ec7e99af89ea8a127cf3fef271bea729f11ac

SHA512
5332338cf16943f749a558e60f9a6eec8fc1dd22eb55b4111b080d079612b0ead5a73ccb8c4605b0ab5d6bfc755212c71a9655e8e705ffc75fdd8b9d92f39994

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
9fd2ff98b6997fb00f5b513c949f16e6

SHA1
874b2e89e6607fcfcfd4ddcf382de144ba9b4ba1

SHA256
098911428f118d03699bbcbfff9d76325beeb2f9ec2810163661853d597e996a

SHA512
5f35cdf6b4811b22c105e655ecf6b76e2856a4170a14eaa3843ea8622d9b6e24d2340613d96bc812a886f8b4688f5bfe6dbadc798440c44fa5945e87667e680a

Download Submit

Analysis

Sharing