neconyd | ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937

General

Target

ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe
Size

80KB
MD5

97364296e4ee297b00f3c24ead1b0f21
SHA1

69f10315ad5a4b3e60b28388cba3ef1a692a788d
SHA256

ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937
SHA512

51427963e7bfcd5465b7ee0844f53928c52c6cb3c70178312ffb6a251065098a410ba316e75a504880479844b2db22921367b9954b10c348c5c724a95b4a7711
SSDEEP

1536:Qd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:QdseIOMEZEyFjEOFqTiQmOl/5xPvw/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2100	omsecor.exe
2224	omsecor.exe
1484	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2936	ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe
2936	ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe
2100	omsecor.exe
2100	omsecor.exe
2224	omsecor.exe
2224	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2100	2936	ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe	30
PID 2936 wrote to memory of 2100	2936	ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe	30
PID 2936 wrote to memory of 2100	2936	ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe	30
PID 2936 wrote to memory of 2100	2936	ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe	30
PID 2100 wrote to memory of 2224	2100	omsecor.exe	33
PID 2100 wrote to memory of 2224	2100	omsecor.exe	33
PID 2100 wrote to memory of 2224	2100	omsecor.exe	33
PID 2100 wrote to memory of 2224	2100	omsecor.exe	33
PID 2224 wrote to memory of 1484	2224	omsecor.exe	34
PID 2224 wrote to memory of 1484	2224	omsecor.exe	34
PID 2224 wrote to memory of 1484	2224	omsecor.exe	34
PID 2224 wrote to memory of 1484	2224	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe
"C:\Users\Admin\AppData\Local\Temp\ebaec2f032d7012d4e76cb591d4aa25503382fdb383db73be86f48941b935937.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
a7f82c54c9895c775513c8db4fb24fde

SHA1
991d4c563d76bfafbc88fc54d1e548109e48dc51

SHA256
23d827c2a8673a0a1011f2a385fac5136d8da615e08df834461b31e3f55ccba3

SHA512
b273012eb5ba3ea079c7487b079b072a7e9c698f7cbd8bc92132ceaca9bb94b72d82d5a73facd93bbdfbe6329dd8b4a300eaed12f7ca5dc2f82fa09ff709a2ad

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
3607ffedd7585354af2ec1ca9aad3ec3

SHA1
22a430ed345465102e7a38b24b91385564251c7a

SHA256
68e52a2a8dd0e487fd3b0ea6a339559eda22e68eeb28f337b08924a618343ad2

SHA512
0e125bc481121b780d2b951e20e0a10c7e64c18c8b18dadeffd6736a978347f3d862ecdbe2eae6fb6accb0c17c61f46d2cd18e60d364cd70d2213ac885ee0dc6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
b18bbd7a6ee16dbc29151ef53b858336

SHA1
6251af62cd1c1c6a505f144a214aa93e9e42cd75

SHA256
c9806906ab04aa2ae7d37f9398f5f6174ecad8c0c7c2af024a1d3ac68598b33a

SHA512
50dac0211f8a8f623ebe74fc786b73260d228aa246e911e3003951d24da92a0ff9e02905b70f9f47f1ef9539b65955ddb018d52776a43088626ce0cbfaf816d6

Download Submit

Analysis

Sharing