neconyd | e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644

General

Target

e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe
Size

80KB
MD5

6ed735df8a85a7804ab3b68feb080ea0
SHA1

554b7583869485fb2194f1cb465bb9421906455b
SHA256

e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644
SHA512

47ae9f7057b41dcc8fd51ada7fa71ee381a76f57ec02cc1bc039de3529a670b63d6c47df8d4d86a22c1bcb5af70874a02fdd8f4b27930ef5f875e7d3e183e673
SSDEEP

1536:Ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:gdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3060	omsecor.exe
2056	omsecor.exe
1988	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2312	e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe
2312	e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe
3060	omsecor.exe
3060	omsecor.exe
2056	omsecor.exe
2056	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3060	2312	e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe	31
PID 2312 wrote to memory of 3060	2312	e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe	31
PID 2312 wrote to memory of 3060	2312	e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe	31
PID 2312 wrote to memory of 3060	2312	e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe	31
PID 3060 wrote to memory of 2056	3060	omsecor.exe	33
PID 3060 wrote to memory of 2056	3060	omsecor.exe	33
PID 3060 wrote to memory of 2056	3060	omsecor.exe	33
PID 3060 wrote to memory of 2056	3060	omsecor.exe	33
PID 2056 wrote to memory of 1988	2056	omsecor.exe	34
PID 2056 wrote to memory of 1988	2056	omsecor.exe	34
PID 2056 wrote to memory of 1988	2056	omsecor.exe	34
PID 2056 wrote to memory of 1988	2056	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe
"C:\Users\Admin\AppData\Local\Temp\e77c84b546484e803ac88dcbe319440fdff6c94c721d082761e9a357efdc6644N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
9cf1fe789a63984248ecda8302d6fedc

SHA1
77fd36a0f93197ba5fb7d0b50d273f35489fc556

SHA256
8e4314f4e5d6839ee6985a1e54cfd250afbb784551d9bb00a01795260c2d2b72

SHA512
e51ccdc84853d207ea4fe15ce914b5c45a1a1c3ba23774f41a65180410becd02722ebe9454735aaa62b9166b7aa573b9e776651f71daa13456d14b2909244bc4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
a01a14e859666334f77b2c9f5c3026d3

SHA1
7cca57f67cf3e56529836da2e590122b6489784c

SHA256
1dbebb167fa3c1e7e8dbfc8ac2f0f86d4db1722c990567fa014a3edd2fdf4f0a

SHA512
f7c9b78a23d2f43ad39251c0fe3a635c9f644894ca54e2bd6b8c85f19ce3d88ab31d692b3475af296f3728365ca74fbb0b1361410cc655b8ca79709504ce0fce

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
84996626a68638f3bffbe68af76705b5

SHA1
41f60168ed8403f49ff10618788999e5bdad27c2

SHA256
d681341901f73bb308b9ac8dc8e36a2cf4fbb7a6c2a0170b8ad8b01d68fd51c3

SHA512
e4c26f36e1f97438eedf1031946cab4fcdddf71e34e54ec0e651fcb0d2395048136c398edd8da729c59b57023a334e428bb79777cf325f6ee8a980f541449326

Download Submit

Analysis

Sharing