neconyd | 98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a

General

Target

98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
Size

61KB
MD5

5528b9063b04fa681e15b2d8174d9321
SHA1

b892a2eb511c795d7ed33218384d99071b34f187
SHA256

98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a
SHA512

872c610a29ad4504cba06f73477b1b8c3495f4e9a650c59ed95ab067a89d2b71468e7242a7d99c9ee377247fcb5662d08735f855ef540968fed68573ebf452ff
SSDEEP

1536:xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZnql/5:BdseIOMEZEyFjEOFqTiQmFql/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid	Process
2300	omsecor.exe
1236	omsecor.exe
1164	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exeomsecor.exeomsecor.exe

pid	Process
1996	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
1996	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
2300	omsecor.exe
2300	omsecor.exe
1236	omsecor.exe
1236	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exeomsecor.exeomsecor.exeomsecor.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exeomsecor.exeomsecor.exe

description	pid	Process	procid_target
PID 1996 wrote to memory of 2300	1996	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe	29
PID 1996 wrote to memory of 2300	1996	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe	29
PID 1996 wrote to memory of 2300	1996	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe	29
PID 1996 wrote to memory of 2300	1996	98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe	29
PID 2300 wrote to memory of 1236	2300	omsecor.exe	31
PID 2300 wrote to memory of 1236	2300	omsecor.exe	31
PID 2300 wrote to memory of 1236	2300	omsecor.exe	31
PID 2300 wrote to memory of 1236	2300	omsecor.exe	31
PID 1236 wrote to memory of 1164	1236	omsecor.exe	32
PID 1236 wrote to memory of 1164	1236	omsecor.exe	32
PID 1236 wrote to memory of 1164	1236	omsecor.exe	32
PID 1236 wrote to memory of 1164	1236	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe
"C:\Users\Admin\AppData\Local\Temp\98abc47b4b0c93506f633c90a7cae277de0d13049b5b31c61ce6780df99eb07a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
542eabe402e27707273b8f793764a2f0

SHA1
b371e4b14851339d9d392ecc9378fac85f38edf0

SHA256
54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9

SHA512
473a569a43c9b09a16e6df2765bad6b3679782ff7e4f6f365130074c73f26f933113395aacefb7622619613623707d2fad72adc2d085fe30a102333cfe2bc56d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
cb52eadeb2f2b8fbc075b95888813f2c

SHA1
087ec01ec07454ed5e5dea80a875b2aaeeecf737

SHA256
6c752bd9297fe4a0115b78e7050560907241d24c11b6d63c9d95cb911bb8627f

SHA512
e82ea544bd78801bd171d571c8cfbb5215a256fa78b18a6589a6ea521f72245fad3522c650d069a4c0c16b704278045ecbd0a08593fef1d8620efdd402eba81b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
3c54a710fe1129cb5c2862f0a5318b63

SHA1
00a079d3727304dd8981ec17245c287ea361a67a

SHA256
ff9a148ec91f57fd56f8814d4217b049a491bd679bf2a40d9604ea944f3a668d

SHA512
331d43ddc532535d29f20b92be9d05aef8fb3c59ac4f5cb660cfe70c86b9ca014b03f66c619888f8d6e6aabd474b5a1e5fb6ae8ac50101dc4996ae4a09eee9a0

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads