neconyd | 8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e

General

Target

8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe
Size

80KB
MD5

80c4623568ac9cdd336c4400b2fc9e68
SHA1

da0e216fc51b32ed4f89c34fc296c4ebb0ac3413
SHA256

8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e
SHA512

6749988a41fa0284218c930d4ffc63f3641597cf18ff996a20d172e17051055570be6912262f5cf435dd41b1ea2286cdab6025c4986b03344ef3fcea3446bb1b
SSDEEP

768:BMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:BbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2516	omsecor.exe
912	omsecor.exe
2968	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2524	8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe
2524	8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe
2516	omsecor.exe
2516	omsecor.exe
912	omsecor.exe
912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2516	2524	8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe	30
PID 2524 wrote to memory of 2516	2524	8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe	30
PID 2524 wrote to memory of 2516	2524	8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe	30
PID 2524 wrote to memory of 2516	2524	8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe	30
PID 2516 wrote to memory of 912	2516	omsecor.exe	33
PID 2516 wrote to memory of 912	2516	omsecor.exe	33
PID 2516 wrote to memory of 912	2516	omsecor.exe	33
PID 2516 wrote to memory of 912	2516	omsecor.exe	33
PID 912 wrote to memory of 2968	912	omsecor.exe	34
PID 912 wrote to memory of 2968	912	omsecor.exe	34
PID 912 wrote to memory of 2968	912	omsecor.exe	34
PID 912 wrote to memory of 2968	912	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe
"C:\Users\Admin\AppData\Local\Temp\8186847ad0d3c62c54c77e58b34c9fd7b79de3caaa325bc89beebf7b18036d3e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
cccb9841d4d8cd4cc5b5b96d496c560b

SHA1
7d72cf1fcf46289d7252955c44fca0fbd94ca02f

SHA256
9d5cf4a0c565795fb28324cc25263e0acdce4ba9be63f70c71c61303a674af81

SHA512
57b85bc48f70b197bfc71414073fe98803ea80023556c18df7b36e2b94d49f8d4ce1d2a47cbc839456fcf7e9368011ad7e4b648ca2d50764c522dcbc7e3d50ea

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2db9b7cee89fe6e76096a2f00017f8ec

SHA1
82af2bb97958165d3254097c6466ad1be658e0c5

SHA256
08d9843bd5396fe0e6b49a5a660ed460bdb81189127598b9546daff768098b75

SHA512
2fc8bcd395bc6396c5d90013bc1a9fc2ef7995d84e05019a1e6658b2faf0c5f1b0a68b161b9b65665834a1b9240a090ccb04234f1094b9091bedf429dc44cfff

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
fae653ebbac929671953af5f174df4bd

SHA1
ff4150452efa3c772fc42a8d48b172f5eab92166

SHA256
09f0e2bbd73bf484f43e0aeed706a1a38ae3ddcc5ef505ce0b43931b4a1d0568

SHA512
1d2edce4e54bb8f01069b97305097d83306ba5a2f555f2c2e923adf179a6df0c0a3ddcdd6fe857796abc6800b241f183246b470a9f9ca8fa9646fb3fb7f26689

Download Submit

Analysis

Sharing