neconyd | a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301

General

Target

a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe
Size

80KB
MD5

c98b4138691d61c56f49eb3bcc913440
SHA1

71f40ac919dbc9f20cee2e490dd450a528133416
SHA256

a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301
SHA512

f3d9d229a57f8caa12e29e956ef6e1d216cf181055dbcad6b847fdbec8197e3ee120f15922b152a8cfe1b54fbd28f573878d63a7228bd6f2af21ced2cd8d3b7b
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:XdseIOMEZEyFjEOFqTiQmOl/5xPvwX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2776	omsecor.exe
2996	omsecor.exe
2980	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2792	a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe
2792	a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe
2776	omsecor.exe
2776	omsecor.exe
2996	omsecor.exe
2996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2776	2792	a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe	30
PID 2792 wrote to memory of 2776	2792	a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe	30
PID 2792 wrote to memory of 2776	2792	a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe	30
PID 2792 wrote to memory of 2776	2792	a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe	30
PID 2776 wrote to memory of 2996	2776	omsecor.exe	33
PID 2776 wrote to memory of 2996	2776	omsecor.exe	33
PID 2776 wrote to memory of 2996	2776	omsecor.exe	33
PID 2776 wrote to memory of 2996	2776	omsecor.exe	33
PID 2996 wrote to memory of 2980	2996	omsecor.exe	34
PID 2996 wrote to memory of 2980	2996	omsecor.exe	34
PID 2996 wrote to memory of 2980	2996	omsecor.exe	34
PID 2996 wrote to memory of 2980	2996	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe
"C:\Users\Admin\AppData\Local\Temp\a47eae4ac9a5830d4bb2bdc2c69d59576a15123aa85e3b80977437682e50d301N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
227e53f0ecbc0c1e7cdf9c00ef1fec50

SHA1
b52435e2b680c2ac4f6a81ba5fa14154c62346b4

SHA256
e07000219d5f7df830d1e1fd05e160872ec0530ad4472713f9136f5076903a90

SHA512
272e81a405148b4e91b5461543a112e2ff84ccdd3bbdce9e79112543b710ebed59718c0152125698406cc619e16bc314f5dea561369c1fb6e8263a663bb6cac8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
e949a7b58967bc0b25412d80b99c3f29

SHA1
df633ba9948268da95b51335d3eb58aea21b3ff0

SHA256
6bda46346357c6d408e5d7089ac6f31f4766d85c241936c741306d858053f195

SHA512
306962ae6bd6caa4789b64918432bb5358afc0ca7769732506ace1d4be24bab0a6a944996c59ed72194099c1a06949802a5b672695f83139c27f0c5009851fd2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
66ac90abb530235afefcf4ba10eed6e5

SHA1
b3e704f770bf89052af49dba203722b2b04fb9ba

SHA256
b92dc0bbad0242582616a02631aaaa513c540aaf9293ab9107a9f00f16bc724f

SHA512
75f5efcd2809f7195e6b32a0e849f72139dd0358658332380856c51273642c75e17f8307e611b75f953f8b45fbd1dd0d714bdeabec2fb9a4795ddde28b3f6dd0

Download Submit

Analysis

Sharing