neconyd | ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983

General

Target

ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe
Size

72KB
MD5

bdc3613df5600a4ead19a4bd3d6eed70
SHA1

14aef4aa9567ae26709b18edf2b9c02fa8f29045
SHA256

ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983
SHA512

993216f180cc004899be4987415570903439180aaf5cc8310abd7ab23e7990ed08a41f4d68c2273c453bf1ce29ec8946974cbc27cc3d783b892071df1e55fad8
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211l:LdseIOMEZEyFjEOFqTiQm5l/5211l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2516	omsecor.exe
3012	omsecor.exe
2984	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2292	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe
2292	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe
2516	omsecor.exe
2516	omsecor.exe
3012	omsecor.exe
3012	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2516	2292	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe	31
PID 2292 wrote to memory of 2516	2292	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe	31
PID 2292 wrote to memory of 2516	2292	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe	31
PID 2292 wrote to memory of 2516	2292	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe	31
PID 2516 wrote to memory of 3012	2516	omsecor.exe	34
PID 2516 wrote to memory of 3012	2516	omsecor.exe	34
PID 2516 wrote to memory of 3012	2516	omsecor.exe	34
PID 2516 wrote to memory of 3012	2516	omsecor.exe	34
PID 3012 wrote to memory of 2984	3012	omsecor.exe	35
PID 3012 wrote to memory of 2984	3012	omsecor.exe	35
PID 3012 wrote to memory of 2984	3012	omsecor.exe	35
PID 3012 wrote to memory of 2984	3012	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe
"C:\Users\Admin\AppData\Local\Temp\ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
90a16f779c5d9a26654ad0fb1dc67fac

SHA1
f4c3f30c7c78d6ad513ffa1843eca167bd840b0e

SHA256
a1fd0314e8df6bae2dc71b9f21ffe8954525fc272b6b024ff82e23a73bddfb98

SHA512
a8ac9aee11deb3ea251192b86582ac0e8f099272b2dd2656e067011ef08988f3904c550d2414b3bca103774dda47d9777cd616ddfd3491c6729cc6ecd15876a9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
c7708cd8d35a805b29db689f512e88d6

SHA1
cbdec7168a52a0035244714b776b081dd31aca30

SHA256
ee653e973743f5663dd4cd3779bce83ed59086d852c2a2c645e8d5c26ad5d682

SHA512
fbb94aa5dee5d010efc56b1aefbc61dd7394e0b79df1c65f1f96bfead2cec7f751af70e752cdbe2778c944247bd8fdbaf51a2b2cd9c7e3f78957d17aac9a1ed5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
de66577662916cf3be45281332db781b

SHA1
c40610da0c75a23510fa402c830bc0b419b16b22

SHA256
9cf83f805ceb9102f5d559f98b5c13d580a796451951613635f2b2241b46c61b

SHA512
9ffc2e9b002ccedae5e0345d8b9945718147e99e30f1eb5b3d1ed0c53a748d5a49d3bc92bb86d774cae45d41f271fee0eb5ace930bed7152aae01219caa4eaef

Download Submit

Analysis

Sharing