neconyd | 1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82

General

Target

1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
Size

72KB
MD5

62722158cbc7ab4682bce34d39c83a60
SHA1

223c262a2527b205b3f79fb733c2d5f743f5ffab
SHA256

1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82
SHA512

942b309da503f6b1173ce74f1a82dd17009d56bb9f776622c852bb486923647a2d5198a2e85be46b22435429383aee9bbec98e4ee167d732fa872e83d05590fd
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211X:+dseIOMEZEyFjEOFqTiQm5l/5211X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 5 IoCs

pid	Process
2540	omsecor.exe
1612	omsecor.exe
2700	omsecor.exe
2072	omsecor.exe
2768	omsecor.exe

Loads dropped DLL 8 IoCs

pid	Process
2572	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
2572	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
2540	omsecor.exe
2540	omsecor.exe
1612	omsecor.exe
1612	omsecor.exe
2700	omsecor.exe
2700	omsecor.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2540	2572	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	30
PID 2572 wrote to memory of 2540	2572	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	30
PID 2572 wrote to memory of 2540	2572	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	30
PID 2572 wrote to memory of 2540	2572	1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe	30
PID 2540 wrote to memory of 1612	2540	omsecor.exe	33
PID 2540 wrote to memory of 1612	2540	omsecor.exe	33
PID 2540 wrote to memory of 1612	2540	omsecor.exe	33
PID 2540 wrote to memory of 1612	2540	omsecor.exe	33
PID 1612 wrote to memory of 2700	1612	omsecor.exe	34
PID 1612 wrote to memory of 2700	1612	omsecor.exe	34
PID 1612 wrote to memory of 2700	1612	omsecor.exe	34
PID 1612 wrote to memory of 2700	1612	omsecor.exe	34
PID 2700 wrote to memory of 2072	2700	omsecor.exe	36
PID 2700 wrote to memory of 2072	2700	omsecor.exe	36
PID 2700 wrote to memory of 2072	2700	omsecor.exe	36
PID 2700 wrote to memory of 2072	2700	omsecor.exe	36
PID 2072 wrote to memory of 2768	2072	omsecor.exe	38
PID 2072 wrote to memory of 2768	2072	omsecor.exe	38
PID 2072 wrote to memory of 2768	2072	omsecor.exe	38
PID 2072 wrote to memory of 2768	2072	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe
C:\Users\Admin\AppData\Local\Temp\1a937261ad09da2edbeb7e559c3f65bf03701384417f0c110f7e458a4a932a82N.exe cmd /c %TERMINATE% "SIGTERM"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe /nomove
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GVCKA58M.txt

Filesize
230B

MD5
6c8a91fb52a41539048bff808a134870

SHA1
9a346136d717900e681e3499b7d034b6c978845f

SHA256
e336e209f9ee89874f2d3c60f7dee586e694ee9c414034d79f22a4d030aca116

SHA512
8ec797dc120597bea42afed78c0bba655e5f23f05f81de0d864dbd9b18a69360d9ce579f230d55dac21f997d5fb3bb65cebd5d9b18084852eb100969a954710e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LHWUYRPS.txt

Filesize
229B

MD5
473c2fd2cbd9b628640d7af0e373a7d3

SHA1
35d3ce75224a7cc4eda0532701f0d505ba730ffe

SHA256
62cc16f7cf7ed8bef3f0f9c22ebce98c4ca4cc1f4a192b3ccf3f8a794ffa76ed

SHA512
ad2450c9912ed5487695ba592e5fbefb9ac97a946c4fae0a015c5e773b9a35d4101250f8648824926c697d14f32b52b200448ab2622fa143771fdc86106af825

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UXRAAHL8.txt

Filesize
229B

MD5
20afd5d5b7a27c6e4cadb39c36638137

SHA1
b45bec92baca34982106dd2248e3cfc45180c790

SHA256
ee58e1c782a9ed867e3975e2ed48bacac37a046b2c4482e3289cc5717aabf624

SHA512
605fac33af158a8c0815016258b936115411e72a2c20ac882435582250e54ba9a6c24981363278e4807e87b35f2b977e2ca1720963ddc33d39de3fc6422654dc

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
431659635728e53bea3d6c6ebde6d54b

SHA1
1a80524c9118834a269a626367270ca9e87358ab

SHA256
d046fba454870610ec302eefdbb9ddac8308fb24ae620203840407460fb7b88f

SHA512
4e0bcac0478538f34098177a8f1061db3bdc280fa2584fc60f04c3812e4943fd8a5c09f87d149c7f5401e2bf78fdbabcf5f74b380f4927bc8c5c1bcec50e65a3

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
be30017a34991ff0a5a641eab8cf4822

SHA1
8ffa88e8fc8a857b28a59237b2c3bea6c0be19ae

SHA256
41406edbec796202e50f92e40c2de3c403f6614d4c736ebfa8ffb632dcb65322

SHA512
dbbdb52d0743b760cdda5f6219a7d07114eede07c05a47f55d7c4f7dc389a6151e140921aa00168b1f6316cfec12520b13c08437d393b3b48e07e9eab6104d1c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
66f7355f901e021593ffc5cabee1eed0

SHA1
a93b128d2afb230c68db6b86b4b481d217758951

SHA256
32b7cd2efa2cc559370612228f5498b7c14717a3b95d4172ecf7a28101d6fc49

SHA512
2981f9665508316d6d39911a9de79c1ca8685d890f4bece93a1abdcf5b9f34ddea683a60d3c6a67331688ef99e9f236e759595031d08212a7677672a4f820225

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
98ef8398a0ba3feb1978d85f74aa428b

SHA1
467b2753a0d44785a39914a578ae5f5b1629974a

SHA256
001ec0db251765268b48289793e1ca31add57cf754a6dbacfa382c3d6dc822c8

SHA512
c5e7d47e83e6b7d7b0998702a56b359f84709152151804f14ab32f792e39c57b83ef28e83b7d2679b91ac5a6779c992972684ea2ee0621f41c21a3163bbacea1

Download Submit

Resubmissions

Analysis

Sharing