neconyd | 4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340

General

Target

4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe
Size

64KB
MD5

97472f222d2703d030054a9cab746ae0
SHA1

b79c978ad6e7f8d3b7c55506f246b61f2278bfa4
SHA256

4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340
SHA512

7f128f7ca106575296fda7912d05a4260e17a3164705d4b581be1360f89933a476710eac4dc747074e1efed107b8b4e34c2df79f1db8f36341a53ce40b01d76d
SSDEEP

768:bMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:bbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2984	omsecor.exe
1964	omsecor.exe
2024	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3012	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe
3012	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe
2984	omsecor.exe
2984	omsecor.exe
1964	omsecor.exe
1964	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2984	3012	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe	30
PID 3012 wrote to memory of 2984	3012	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe	30
PID 3012 wrote to memory of 2984	3012	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe	30
PID 3012 wrote to memory of 2984	3012	4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe	30
PID 2984 wrote to memory of 1964	2984	omsecor.exe	33
PID 2984 wrote to memory of 1964	2984	omsecor.exe	33
PID 2984 wrote to memory of 1964	2984	omsecor.exe	33
PID 2984 wrote to memory of 1964	2984	omsecor.exe	33
PID 1964 wrote to memory of 2024	1964	omsecor.exe	34
PID 1964 wrote to memory of 2024	1964	omsecor.exe	34
PID 1964 wrote to memory of 2024	1964	omsecor.exe	34
PID 1964 wrote to memory of 2024	1964	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe
"C:\Users\Admin\AppData\Local\Temp\4610ce2851185d9411fda736bfd4c99f84ac2b9214c153a816c9948a7c6d1340N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
470170f00d0c7425cc68af731e44a609

SHA1
8099270a6a5f517012334fbd0652ddda054f87c2

SHA256
e9fedf9030ea2d93e2c3c34d9e8a262406d39ecc81419c5b7c15d657b489fae6

SHA512
5c2af57d35a5c23b06b6f8081a310db2892165d8aa8bfb375f00cd99905aa3417a14ab811fbc55d7b2ceee7359546a293b6c879dc353ac6d3817e90108fb5350

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
c5f99f6872af3daf283d6888d1b86d48

SHA1
ee4dd3c21b7c4d569d8e62123f8bc8ac6191df19

SHA256
53b64dbe313fe71a15e2e0593214f60738dde40bfcfbc3eca0bff0d147f4ef72

SHA512
6e51c521a2d2067cc809b30e4bfee8eb93768233dd5051eca270e29ff08d24f9f8637f0c456035207fd66bb05da4b5221ce63479641d41f62bbf72b0f893b6c3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
ab058622721ee6f1eeaa4a22229eeb03

SHA1
4a24fd9090c3a1aa0ee6c12a5dc3595746072552

SHA256
54e36461cfce2f6c1cb347f9b9b617d0e2a5c53c66c5d4fd0e61b663b94dfe98

SHA512
b40e6ff902f12c5a502b4c1222d278595e9efd1be9e42a78f06731ce6601b0bc8058f0d445944a32cfb34cd1b916c0a8c27a75fb8b742b2a60d502745312a9ef

Download Submit

Analysis

Sharing