neconyd | 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a

General

Target

0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
Size

80KB
MD5

b72d6e0501d41a0fcd53784f63d87880
SHA1

c371552655ece43bc7037d615057ff2cf57afafc
SHA256

0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a
SHA512

191374c4e0a25fd8c96919cf495d76d94788b44dbf08fdb6271ff086279c7d5615bcaba1ce02f060c0fe8078593824f5d13749f938b0bad0f1495ab4fb82f9df
SSDEEP

1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:mdseIOMEZEyFjEOFqTiQmOl/5xPvw/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2292	omsecor.exe
1984	omsecor.exe
2840	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1992	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
1992	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
2292	omsecor.exe
2292	omsecor.exe
1984	omsecor.exe
1984	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2292	1992	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe	30
PID 1992 wrote to memory of 2292	1992	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe	30
PID 1992 wrote to memory of 2292	1992	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe	30
PID 1992 wrote to memory of 2292	1992	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe	30
PID 2292 wrote to memory of 1984	2292	omsecor.exe	33
PID 2292 wrote to memory of 1984	2292	omsecor.exe	33
PID 2292 wrote to memory of 1984	2292	omsecor.exe	33
PID 2292 wrote to memory of 1984	2292	omsecor.exe	33
PID 1984 wrote to memory of 2840	1984	omsecor.exe	34
PID 1984 wrote to memory of 2840	1984	omsecor.exe	34
PID 1984 wrote to memory of 2840	1984	omsecor.exe	34
PID 1984 wrote to memory of 2840	1984	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
"C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
1105a5530d3484899bac92604df40e4d

SHA1
ef081bef6e013dddd41ecb27ef59d9b41b249360

SHA256
fdde056d55fc0b08db4c54aa08224516e7832eb3f0fd16aadcf5b2fc179e3353

SHA512
ef86677ce4635679636b325cf37f9765c8ac529071e1eddfc061371be2169245fb6e25d7ccfeab3147f8e50423a4d544553244b71516ddd42dbe892255e4f091

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
df277e5bc60a161094e0c0f30a4d0376

SHA1
cbc45530840f68f247501c4e9826edeb22c8a81f

SHA256
d9d09de81bfdf092e78ecbf7475f16689b7c7fdb51e9b173fc20fd4456f557b1

SHA512
3c8bbd9766bedfa83644707a2f56ee648a195ceffbf7d5d9e7a4528432fa4ddec8712634d48854627bf2ba13bc477b47bc743260b9c1e4a4f3985e69287d9c94

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
c0b6cd6dab0a8d3846f42c11d92e0888

SHA1
f59d27c5dd06a0b634773c594dcea56a1e2fdc48

SHA256
24b72988e352a0409887c051cc485bf023a097243fe616e24ecf4b1c153026a2

SHA512
2ac2ea2907481f95635f7be2aea01f41ce8d150ee8715d919792fa4a4540696c4fd44bb2dd15a7cc6f41f7967a51d6c3bf0628a2a6ac0efc213a7d2e8b2acc4a

Download Submit

Analysis

Sharing