neconyd | 0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a

General

Target

0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
Size

80KB
MD5

b72d6e0501d41a0fcd53784f63d87880
SHA1

c371552655ece43bc7037d615057ff2cf57afafc
SHA256

0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a
SHA512

191374c4e0a25fd8c96919cf495d76d94788b44dbf08fdb6271ff086279c7d5615bcaba1ce02f060c0fe8078593824f5d13749f938b0bad0f1495ab4fb82f9df
SSDEEP

1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:mdseIOMEZEyFjEOFqTiQmOl/5xPvw/

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3032	omsecor.exe
2844	omsecor.exe
1136	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2304	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
2304	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
3032	omsecor.exe
3032	omsecor.exe
2844	omsecor.exe
2844	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3032	2304	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe	31
PID 2304 wrote to memory of 3032	2304	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe	31
PID 2304 wrote to memory of 3032	2304	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe	31
PID 2304 wrote to memory of 3032	2304	0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe	31
PID 3032 wrote to memory of 2844	3032	omsecor.exe	33
PID 3032 wrote to memory of 2844	3032	omsecor.exe	33
PID 3032 wrote to memory of 2844	3032	omsecor.exe	33
PID 3032 wrote to memory of 2844	3032	omsecor.exe	33
PID 2844 wrote to memory of 1136	2844	omsecor.exe	34
PID 2844 wrote to memory of 1136	2844	omsecor.exe	34
PID 2844 wrote to memory of 1136	2844	omsecor.exe	34
PID 2844 wrote to memory of 1136	2844	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
"C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
1105a5530d3484899bac92604df40e4d

SHA1
ef081bef6e013dddd41ecb27ef59d9b41b249360

SHA256
fdde056d55fc0b08db4c54aa08224516e7832eb3f0fd16aadcf5b2fc179e3353

SHA512
ef86677ce4635679636b325cf37f9765c8ac529071e1eddfc061371be2169245fb6e25d7ccfeab3147f8e50423a4d544553244b71516ddd42dbe892255e4f091

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
51a6e01a0b9d19446adedf4b2271f177

SHA1
e98ff35fec53e3cd49cba75f05569aa2ccca9734

SHA256
a5fe4bd97866ec42790cae321edabb3a28ec1ecf1b342ce5bd80677c5efebf55

SHA512
c5f10cb14a4f5e4bdb8f41981a1e121518c5f9ef8c5fad8eeff421b4f7b2bb1f059315458dc4c5d2ef4f9fdc286cb226d3b5a7dcb48b108c18b19d55478c2004

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
4c82b8ecf9e0ffeba844bd47e2ebe10b

SHA1
5a63e02794f6448446fe244d7740f89dd93de349

SHA256
2fc8f53d136f3daee6cd7a12700e5bd95615d51c4ca588f4135cf7b9f2671a99

SHA512
01df011745aea9d53b5348a7e50b0979b3b1f2f612b9382cdc5698342923e2453f3a9561699e6f4eb2f62e9c84acc847a3f3c46ff70bd7a85cf910ab9690ab9b

Download Submit

Analysis

Sharing