neconyd | 33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9

General

Target

33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe
Size

76KB
MD5

0c1a28fac6dae204a0b3fef41653590d
SHA1

651bf9bc7ff22bf654749fe299fc2a5d436da11f
SHA256

33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9
SHA512

8d3f833a226ae3993291f701c8d647243ddbbbb4e4dd128f11741315fb61bda0c072e339aa1c48a21ed3b25a7914d9b5094fd844c145a8e320a1439617f99765
SSDEEP

768:p2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWR:kbIvYvZEyFKF6N4yS+AQmZTl/5OR

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2740	omsecor.exe
1652	omsecor.exe
2424	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2380	33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe
2380	33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe
2740	omsecor.exe
2740	omsecor.exe
1652	omsecor.exe
1652	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2740	2380	33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe	30
PID 2380 wrote to memory of 2740	2380	33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe	30
PID 2380 wrote to memory of 2740	2380	33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe	30
PID 2380 wrote to memory of 2740	2380	33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe	30
PID 2740 wrote to memory of 1652	2740	omsecor.exe	33
PID 2740 wrote to memory of 1652	2740	omsecor.exe	33
PID 2740 wrote to memory of 1652	2740	omsecor.exe	33
PID 2740 wrote to memory of 1652	2740	omsecor.exe	33
PID 1652 wrote to memory of 2424	1652	omsecor.exe	34
PID 1652 wrote to memory of 2424	1652	omsecor.exe	34
PID 1652 wrote to memory of 2424	1652	omsecor.exe	34
PID 1652 wrote to memory of 2424	1652	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe
"C:\Users\Admin\AppData\Local\Temp\33ee33ca3efdaa78aa766b63d837accd4c4cbc69f4c8b4f0a1cb249b5e6f2cc9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
02ca249634c0b3df4b31c5e7bc1f5653

SHA1
08dca5fdfab30a029a4ade7329f38b7c527106f6

SHA256
9b98a4c63456857ae3de14440ac9e33c82a3f56fb4374fc2d2a96846ca3fd572

SHA512
6ce0123aa269efa8f89b6759ffa2d63a03428f9501733f65665663a49c5a52093ccfdebb8a1d7072e63126fceffbb7aa38d225961186bd8630290f77c6d0a8e0

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
adeba10e77430d7e008667a3e80522ad

SHA1
82bfc54cd19405f6ca615e3b3381b7157c4264dc

SHA256
dbf49fe5d56689c32c4e49f530b9a7ff1a06fd1e40666d7c9c18a0f21e7b9af6

SHA512
ea83d3b6f255c12f6daaf46528e61e9bc65bd4daf5670b75038105981ba6d0ca53ca8d0e42e54fe0891b6f231316e92dabc5cf0cc7e7f8841d69edd97bf5e39f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
e2a7b08ccd0670b5bf7ee7c44098ae5c

SHA1
c6d4cf6c0f10e4d05caec727d417527ed94e66db

SHA256
a0fec5acad6a288bf24fe9860e04c6afbd4d6ba73d3ad35645c8b5accdf75a50

SHA512
d9c4fffee551d5912688a8ecf24ad6aef5b9ea5708eb25e431a2e78c4896eb2ebbebb72f6ca85d362112a270b832a3968fdfe5003f08a99593c4e3e05ffdf517

Download Submit

Analysis

Sharing