neconyd | 0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0

General

Target

0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe
Size

76KB
MD5

3beeabe619f4a58aea904f4ce18a62a0
SHA1

f7a11cc96c03b5054f926c9dbd6548310c033304
SHA256

0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0
SHA512

45269d6a9c8f57fd96851a247972db9280ff08608b5071b9b3a6754885aee7fb1a5343608b7d9a293142a679566bf9d8fa5d4c9a610a9d2f5217627dfea952d2
SSDEEP

768:p2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWZ:kbIvYvZEyFKF6N4yS+AQmZTl/5OZ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1740	omsecor.exe
1956	omsecor.exe
1420	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1908	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe
1908	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe
1740	omsecor.exe
1740	omsecor.exe
1956	omsecor.exe
1956	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1740	1908	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe	30
PID 1908 wrote to memory of 1740	1908	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe	30
PID 1908 wrote to memory of 1740	1908	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe	30
PID 1908 wrote to memory of 1740	1908	0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe	30
PID 1740 wrote to memory of 1956	1740	omsecor.exe	33
PID 1740 wrote to memory of 1956	1740	omsecor.exe	33
PID 1740 wrote to memory of 1956	1740	omsecor.exe	33
PID 1740 wrote to memory of 1956	1740	omsecor.exe	33
PID 1956 wrote to memory of 1420	1956	omsecor.exe	34
PID 1956 wrote to memory of 1420	1956	omsecor.exe	34
PID 1956 wrote to memory of 1420	1956	omsecor.exe	34
PID 1956 wrote to memory of 1420	1956	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe
"C:\Users\Admin\AppData\Local\Temp\0abe9ae923dadc21de8d38d59e3280966a5c947b491b908329cf2593c299daa0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
c6c640663dcc7d1e9a946fd889fd3e66

SHA1
c06b96a009536cd7cd6a2936ca2786d6ad107362

SHA256
1079f106a3da699b0db8f522e0b69739f17129d64c8ce4f5e807c3ce1ca1f18d

SHA512
2a55a98ef787135ada420d5abe5bec5b64994f6cc3f929694ba3267ad12d4c90cd3c496fc805f97235646db2fdd54075809269370b2d28298fc6798c2028e794

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
6c9291262117056cd7309da503a52d47

SHA1
c4c9bc7d597a899c54f88756153bb4d5461bc795

SHA256
3f7b0355c43a2eb8a50420c6a5063703e373731c5caac79c6d8157fbdb137eee

SHA512
bd8c1c432208c515f5f39b474b2c727c70897a6c282c6c9038a9fc859b140faf1cef5c85ab43505ca26432206db89a38f4acc5854f942affbe71bb454c992e74

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
1b3a79abe52d691e191012be6318b6a3

SHA1
e58acc41872a650b0df1075831e46a03c57ba213

SHA256
fdae172db30411c7ca8abaf400e2dae9a69df916061a29cec2b3ced437d3cb0a

SHA512
6b62bd6aaa8ab4ce8194bbf2dcc08942725bdc91358e803a1f88f7fa159489336d1b75f52a84f7cd31653db7efb6288d962cc30583c8d6c31de9f7af0f7b69a6

Download Submit

Analysis

Sharing