neconyd | 41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8

General

Target

41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe
Size

61KB
MD5

4c802f2573a72d20d8e00283350f9d70
SHA1

71f1bb07cf6dfeb32e2d7c1a32a40f4bf1baf959
SHA256

41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8
SHA512

c8e5dc99013616bf1c020c8031826ce0d81686fedd03ba5418f99ddb387bcbdf6d340fcbc279a140f94f66cec3ff295c4866466639a81ee17adc7e8709824951
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5H:XdseIOMEZEyFjEOFqTiQmil/5H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2092	omsecor.exe
1988	omsecor.exe
2860	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2180	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe
2180	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe
2092	omsecor.exe
2092	omsecor.exe
1988	omsecor.exe
1988	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2092	2180	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe	30
PID 2180 wrote to memory of 2092	2180	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe	30
PID 2180 wrote to memory of 2092	2180	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe	30
PID 2180 wrote to memory of 2092	2180	41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe	30
PID 2092 wrote to memory of 1988	2092	omsecor.exe	33
PID 2092 wrote to memory of 1988	2092	omsecor.exe	33
PID 2092 wrote to memory of 1988	2092	omsecor.exe	33
PID 2092 wrote to memory of 1988	2092	omsecor.exe	33
PID 1988 wrote to memory of 2860	1988	omsecor.exe	34
PID 1988 wrote to memory of 2860	1988	omsecor.exe	34
PID 1988 wrote to memory of 2860	1988	omsecor.exe	34
PID 1988 wrote to memory of 2860	1988	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe
"C:\Users\Admin\AppData\Local\Temp\41905de9e1205356f23d1860a4754fc861947cae27aee441436d32c71bf72ea8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
f7e274b7134e509ec4a5e7b5c72bc5cd

SHA1
57eb9157f1fb8fc6891718e178cd4bc3d9a97cd1

SHA256
d6109ab6cc62c108afcfd003570f8adadbe0c0d6b323a12fb0d49a7f46d92ef3

SHA512
2d9ed196dda3eeaebbd7618d5cae544e0b4bda15c5f5e89ef03455bb9e2c3e315080066608c3fbf988bf3925d5544d127f43379cdff5fd5ba03b6fe775982970

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
3acaa29c3ae53dba07b7260ad967e46d

SHA1
82c6ec744312d4cbbc1d1a3e41180b072386780a

SHA256
aa144c21dbe36426cb326d3e512547167ed12a9dc4036cd85f8c45bb3fc2814a

SHA512
aec7f850c5026adffb90643e86f1ea9a8a745c12a071b4248ef41fcd8d3b9ce0d8c0aac740501f3d1fc1a42e139e3721a98c9e2b1e06906510b5baed9e5ad12f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
0f39ebf4696bc6d5f15c06f861ee373d

SHA1
26e7f1407efc58d782cf2e28a2a3d8eedff25106

SHA256
20626c5886c75b5bfaf90bd5770d64bded7ec915144ebfc1d6e22954a29bd9b0

SHA512
6a569c2bbf9ad1f6023a192f0fc7853dda7256d738832ac4b44810f2ecf06b3db53509e78e8603a0f957b34967faa0efdb887ec3cddf20cf8034cf79883f1805

Download Submit

Analysis

Sharing