neconyd | 09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433

General

Target

09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe
Size

61KB
MD5

9eadd2f05a2e7f9a08411bcd7682c2a5
SHA1

687fef93bbcf9ee18129b98ad9c448f1b8a54009
SHA256

09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433
SHA512

b45a5a65df0b58f09b5d8037aa4fcd464319be4f75bb254bdc23f48c69254012b2e0fc462fcd4e5471233bc824a211dacc3f992b1cac5ae7c61e1d8d7ebba41d
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5v:+dseIOMEZEyFjEOFqTiQmTl/5v

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2348	omsecor.exe
2028	omsecor.exe
3020	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2320	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe
2320	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe
2348	omsecor.exe
2348	omsecor.exe
2028	omsecor.exe
2028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2348	2320	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe	29
PID 2320 wrote to memory of 2348	2320	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe	29
PID 2320 wrote to memory of 2348	2320	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe	29
PID 2320 wrote to memory of 2348	2320	09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe	29
PID 2348 wrote to memory of 2028	2348	omsecor.exe	32
PID 2348 wrote to memory of 2028	2348	omsecor.exe	32
PID 2348 wrote to memory of 2028	2348	omsecor.exe	32
PID 2348 wrote to memory of 2028	2348	omsecor.exe	32
PID 2028 wrote to memory of 3020	2028	omsecor.exe	33
PID 2028 wrote to memory of 3020	2028	omsecor.exe	33
PID 2028 wrote to memory of 3020	2028	omsecor.exe	33
PID 2028 wrote to memory of 3020	2028	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe
"C:\Users\Admin\AppData\Local\Temp\09e1ed4843058435cd7808472345cf25cebc13bad0bc7eb343c4629a1a8d4433.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
0c9370d0974b5e4d1425e37bc63637e4

SHA1
435819f786818d7e74b7a2c80e8fb4d3533bde0d

SHA256
0fb5d4ced6b400b755818363709ad2ca9d0b55811218fb13e5e73f10a119fb52

SHA512
1174c1b629ad25da77fc5a60e1782cb451cc2552dc2d5fcfe6b42e5b77c9cb36a15e39f46da2772eea6944f68db44b0fd58d0062d88ed475298e31e0e6aa042b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
3339b65de66b9a8d7f082e611fef5d98

SHA1
b8eb25ecdd70de2376b2af084be4f86c1307fd2f

SHA256
bf63daa98e718572e7ec8b04a424c87fbeb9bae2b175ee0dacef5492a66aba38

SHA512
1902798ef82ba8d929558fdafe4f7e14447dcb3aea330fcb15877571f819b2c29a532522817a84115e95a491ed6ece9268c2788e2ac03fe12f0bf11c25da0ef9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
9118b81b3bc32c4880ad13e6af68535b

SHA1
89357165c2e088fcf4579655ee5287b27db650a8

SHA256
973e547c9c90994eba080462517d8bb8617417c229d000123bc5e8e0a5f9c515

SHA512
8dc0980cee39e4170fe1e623e5e0c3d5903701680ee9e7628c84ac9ba6f1e4678bfacab7cc572588ee567ff05454fa464d1c06c48fecde0948c3adbaae465cc1

Download Submit

Analysis

Sharing