neconyd | 4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020

General

Target

4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
Size

80KB
MD5

429c9bd1a87eeddaef654ff0e423bbe8
SHA1

bfc03adeca294e7a7e3b939e14c02c6dd6bbfd04
SHA256

4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020
SHA512

ac763cbd262f57be05d96c55d89e5e5a2433b22eac2adeadcc72f77c6074cc7d41cd37ed25c0fc6e1e5fae39821ca0cfec18b7d0faa9d3e053867af8743ff215
SSDEEP

768:GfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:GfbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2144	omsecor.exe
772	omsecor.exe
2288	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2096	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
2096	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
2144	omsecor.exe
2144	omsecor.exe
772	omsecor.exe
772	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2144	2096	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	31
PID 2096 wrote to memory of 2144	2096	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	31
PID 2096 wrote to memory of 2144	2096	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	31
PID 2096 wrote to memory of 2144	2096	4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe	31
PID 2144 wrote to memory of 772	2144	omsecor.exe	34
PID 2144 wrote to memory of 772	2144	omsecor.exe	34
PID 2144 wrote to memory of 772	2144	omsecor.exe	34
PID 2144 wrote to memory of 772	2144	omsecor.exe	34
PID 772 wrote to memory of 2288	772	omsecor.exe	35
PID 772 wrote to memory of 2288	772	omsecor.exe	35
PID 772 wrote to memory of 2288	772	omsecor.exe	35
PID 772 wrote to memory of 2288	772	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe
"C:\Users\Admin\AppData\Local\Temp\4f3317b0f1c553aa0e6ca39c3e3e01ed9afa349942cc66a998aa1ac7922ee020.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
57526ccbdd50ab149966def4adb1f785

SHA1
d22f35f22832f1dbdb418ea9dc652390d615cbdb

SHA256
41081339c08f775797cb17853747392ea0fa09fb809bcaf3315a2a6b70f03c2a

SHA512
306d275f483161a7905e6af027d92de6a659f2e8dca887f82bea8cf6f5b3a31769674a15b8fc86c8ef416dded3d01bde0da4cdbbbae5f2ff295d487a6ab97cfc

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
896bfdcd642f3f729dbbf19acde4d070

SHA1
2feb7dc5f5555b412bc7132e522baf6fffc7949c

SHA256
5b69a642d72b5daff4fdffaa13aa946f65c4f453131d4d6ee49afe84c750ba01

SHA512
dd45b1941248bcd4c330505a8dc1a855fd9db64cfc790124944edd626753ccccf3615a3684fe7116d558ae0bc518065d5705c82f3917b2b8e860851bec4c373b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
8aa4e1a02ab19a334c3bc598c95e49e9

SHA1
9fbf989276d00df8eef359a09bc84e37a5fe7bec

SHA256
1dc8edebb2aa38296f96ee64d863c79370a6898364e605a4c4b5fc186b5fccb9

SHA512
bd450ede0fb89d760ce1c7a1fc2f0a8ee80979ba2166de88927d1d79300d3ab692260d4edc5b4ef63c2a40bcb7c41dc9f2593045ecbc0b02ae9b645b46cdcd30

Download Submit

Analysis

Sharing