neconyd | eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827

General

Target

eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
Size

88KB
MD5

ba22eee6c9fb329301817a2ecc56e943
SHA1

bdd2a764fcbf8c16671c4997be14c013fb30f5be
SHA256

eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827
SHA512

73e46feb3babfae0ff107fe83f23ee9dfc013e74327df61f20c596f820d6568013343c4db07ffa77716d79102e6420af1756a172c8938f3caedd6e7b0975634a
SSDEEP

1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5Z:2dseIOMEZEyFjEOFqTiQm5l/5Z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2212	omsecor.exe
3060	omsecor.exe
2616	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2848	eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
2848	eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
2212	omsecor.exe
2212	omsecor.exe
3060	omsecor.exe
3060	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2212	2848	eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe	31
PID 2848 wrote to memory of 2212	2848	eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe	31
PID 2848 wrote to memory of 2212	2848	eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe	31
PID 2848 wrote to memory of 2212	2848	eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe	31
PID 2212 wrote to memory of 3060	2212	omsecor.exe	34
PID 2212 wrote to memory of 3060	2212	omsecor.exe	34
PID 2212 wrote to memory of 3060	2212	omsecor.exe	34
PID 2212 wrote to memory of 3060	2212	omsecor.exe	34
PID 3060 wrote to memory of 2616	3060	omsecor.exe	35
PID 3060 wrote to memory of 2616	3060	omsecor.exe	35
PID 3060 wrote to memory of 2616	3060	omsecor.exe	35
PID 3060 wrote to memory of 2616	3060	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
"C:\Users\Admin\AppData\Local\Temp\eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
a359efde16eaaeda5f2793998f58e287

SHA1
7e0d11d8c746ca53078d709f33856a901a127467

SHA256
932e51735d3b5034e787e5db83602eccc7a412cb0af68a994006a2a41af8ec21

SHA512
c2c974495cef7a635358f201ce543368312f2e58550e71d788c31d74da5e97cdf595ab62b1cb6aeed2be57dae83fd7d0fc6d3188985d4335c16226cfa74cd2d1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
daf5883ff36c6070c70c2325e4979aef

SHA1
1c52885a8a0ac5e145f50a9c934f97a69e981c52

SHA256
05f91406cb47d7d77198e598b71b254a074c79d20dfd2184efa566eb4116a272

SHA512
6ffbc858b36ff5b65b6defb55d7677ad1b9355a0e6f6599c4d7aec6da665631aa272c7f31b6c1402efd8d4d3b212e53fae9392127bec6db5b24112aed1824a0e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
ce23c9724105bfa1caac2b6bb5003cbe

SHA1
3de8076c408a8add1ba4c8e94024ca50d966732b

SHA256
ae3001895e807220ee9c7d843202bf952b42e6a4a96fbbe1f13720c84d686d3c

SHA512
010a4615d95495b2ef272f73c85fcc90891bcb1ea6b8b9aaae7c0643f0d2ad4cd86be52e00d04faebcc95cc0ab8bbeb57d9e853c206e521ef2512a437de451a6

Download Submit

Analysis

Sharing