neconyd | ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2d

General

Target

ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe
Size

72KB
MD5

9b6f5e39e7e1bbd64a96d9767d8816a0
SHA1

e8ed1b06fe1e2081547213cf9167bef9c8ce0126
SHA256

ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2d
SHA512

4de92a4241eaf035dae634e48273f8ae4d17c1b3c44be88096cad0d76a6355a846c1e4978025c34a7d6be7e44cb30932eb5977a99a8c5840ceb4872c6a15e477
SSDEEP

1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211P:bdseIOMEZEyFjEOFqTiQm5l/5211P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2268	omsecor.exe
332	omsecor.exe
2768	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2316	ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe
2316	ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe
2268	omsecor.exe
2268	omsecor.exe
332	omsecor.exe
332	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2268	2316	ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe	30
PID 2316 wrote to memory of 2268	2316	ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe	30
PID 2316 wrote to memory of 2268	2316	ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe	30
PID 2316 wrote to memory of 2268	2316	ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe	30
PID 2268 wrote to memory of 332	2268	omsecor.exe	33
PID 2268 wrote to memory of 332	2268	omsecor.exe	33
PID 2268 wrote to memory of 332	2268	omsecor.exe	33
PID 2268 wrote to memory of 332	2268	omsecor.exe	33
PID 332 wrote to memory of 2768	332	omsecor.exe	34
PID 332 wrote to memory of 2768	332	omsecor.exe	34
PID 332 wrote to memory of 2768	332	omsecor.exe	34
PID 332 wrote to memory of 2768	332	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe
"C:\Users\Admin\AppData\Local\Temp\ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
a843ddbe4db478bb7c3404305737eab0

SHA1
2e26eeb05425b4cc5759eef5360b1a0d82d75261

SHA256
8033a4f67f819651529979ba6e7fcba5e8f517b5dbef4c5cc598a6ec8ea3dbbe

SHA512
86530109b85abbe72ece65ddd9f8ba874413975565b16b6d2d52b873a0efb21d6bcefc6dd6f5da154684af01f338ff5c7588fadf063b8359199ca6cc78149860

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
58de487a909fce33beb65d8921beb228

SHA1
184d720e09b44cdbf413a6ba77c3cd90b6bba1e3

SHA256
02475eba3848c57eb77243fc0fa0217d7b623056634db0175d62f003e0787c35

SHA512
e46045a00e38175b397ef5a50805b77baf408dab3e9a676ca7dab716e2de81825dde66aa7c8868ef9d5c06e46959ae58132b2f8b87bdb3567d325ab14b621d36

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
a11b36db165f75761c04076f6cdf9176

SHA1
8401edf95899a2fa31562c53e1eef4f338d1d963

SHA256
8452af0ac0e13365efdb21bd49e55df3afce0b935132ffdaee1ecad8d92fa8c6

SHA512
e26d0000c26d3af23d81b4170d498c7f7c804592a353ff35bc93649b7135ce2ab321c889ba3cda5cd36ef1cb7981b7e46857126face575391223648be90bc474

Download Submit

Analysis

Sharing