neconyd | 98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a

General

Target

98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
Size

61KB
MD5

5528b9063b04fa681e15b2d8174d9321
SHA1

b892a2eb511c795d7ed33218384d99071b34f187
SHA256

98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a
SHA512

872c610a29ad4504cba06f73477b1b8c3495f4e9a650c59ed95ab067a89d2b71468e7242a7d99c9ee377247fcb5662d08735f855ef540968fed68573ebf452ff
SSDEEP

1536:xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZnql/5:BdseIOMEZEyFjEOFqTiQmFql/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2448	omsecor.exe
432	omsecor.exe
316	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2248	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
2248	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
2448	omsecor.exe
2448	omsecor.exe
432	omsecor.exe
432	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2448	2248	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe	30
PID 2248 wrote to memory of 2448	2248	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe	30
PID 2248 wrote to memory of 2448	2248	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe	30
PID 2248 wrote to memory of 2448	2248	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe	30
PID 2448 wrote to memory of 432	2448	omsecor.exe	32
PID 2448 wrote to memory of 432	2448	omsecor.exe	32
PID 2448 wrote to memory of 432	2448	omsecor.exe	32
PID 2448 wrote to memory of 432	2448	omsecor.exe	32
PID 432 wrote to memory of 316	432	omsecor.exe	33
PID 432 wrote to memory of 316	432	omsecor.exe	33
PID 432 wrote to memory of 316	432	omsecor.exe	33
PID 432 wrote to memory of 316	432	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
"C:\Users\Admin\AppData\Local\Temp\98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
542eabe402e27707273b8f793764a2f0

SHA1
b371e4b14851339d9d392ecc9378fac85f38edf0

SHA256
54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9

SHA512
473a569a43c9b09a16e6df2765bad6b3679782ff7e4f6f365130074c73f26f933113395aacefb7622619613623707d2fad72adc2d085fe30a102333cfe2bc56d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
bab94bdf4e5fddc8e07d9f5d200b70fb

SHA1
64fc592a9429a1207538660355f90f12bdea6f91

SHA256
9f91c5a4df37c0521580d56083d804bc28b51efb31f95390724f7110b9ff5482

SHA512
38d8c0811d2b0a5c5e33170b505eae94d9c8f7761d6895f046a66277cb4f799c9ab06e54d48584a7163767a1bf8810dc3738e0dc9a7339c661ad20ac5af0ff56

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
104bb6596f84f7ea3498a3be788b68cb

SHA1
bdc9bdfc6a79bf3e876e54881fa2be0df3712333

SHA256
f2d1767f46781726f1baedf8758329e7566428a34bc1b6cb508340700b196aa1

SHA512
f52adc6a65453bfc2f22797d35033d118fe128b125a4a691ab436365eb8e052bdcffdc78fb8274f38249390c2d6865ec8635eb167c6dd1e00ce03f146b565121

Download Submit

Analysis

Sharing