neconyd | 5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1

General

Target

5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe
Size

90KB
MD5

80c678b33a6d6ed0ea43720bbdc93810
SHA1

356656500dba7784f0e640bedf95d548c5373e08
SHA256

5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1
SHA512

8f4252a87dd44373e07a18d8acd0b635f30ccf50c2775c24222b9d6c8618700188dcba212421172bfc8bb0be1364d077bf5838242c646e6928acbc96f8aeea8d
SSDEEP

768:uMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:ubIvYvZEyFKF6N4aS5AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2416	omsecor.exe
1744	omsecor.exe
1984	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2568	5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe
2568	5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe
2416	omsecor.exe
2416	omsecor.exe
1744	omsecor.exe
1744	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2416	2568	5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe	30
PID 2568 wrote to memory of 2416	2568	5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe	30
PID 2568 wrote to memory of 2416	2568	5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe	30
PID 2568 wrote to memory of 2416	2568	5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe	30
PID 2416 wrote to memory of 1744	2416	omsecor.exe	33
PID 2416 wrote to memory of 1744	2416	omsecor.exe	33
PID 2416 wrote to memory of 1744	2416	omsecor.exe	33
PID 2416 wrote to memory of 1744	2416	omsecor.exe	33
PID 1744 wrote to memory of 1984	1744	omsecor.exe	34
PID 1744 wrote to memory of 1984	1744	omsecor.exe	34
PID 1744 wrote to memory of 1984	1744	omsecor.exe	34
PID 1744 wrote to memory of 1984	1744	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe
"C:\Users\Admin\AppData\Local\Temp\5a48bf56e56ba18384194e64d420c0b6a503725330f2a4e22484c498097fa0f1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
50b3d45286c5dc1fbfd430e232b7dce6

SHA1
b450e3a33f85c873d252b2b404433627172afbe4

SHA256
b09943988421ea583360a1ba0b28d36d6b231a953532ba20aecd5f5ad1f36388

SHA512
14600bd4c1759c1e0b3e7915936e3011512a241b938354f328ce052c0aadd7b82c81140a0bbc79a055d805ee466db9a6de644c4c5e82c4c966b9f91092982365

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
c46cf5bde28c03671f3b8f3f73980467

SHA1
217a1ef4d70c70e8d59d714439e910e34c2504d6

SHA256
4924cb63b36c6fa1e659b3544c70c2e8f054b38220e7d21551e7c2191af7111b

SHA512
29c8cfaf462b7500a59e0cd04269ffc6d010866e9e421ce3e9a22061d38625750b59510ed5df0fb6adcfcb02461ef131f0d0905271912e423a71233a9f409965

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
68cbacaec88a54b5e982074a3ad79eff

SHA1
eaf47d3813c63af73ef3bd90733d4a5d23e7daf4

SHA256
55655819621aa73179cb4a28ff7cab3dcacc8ac3af5fb344a61fd9e7be9f5ca4

SHA512
5342e18ac2d4d86344ab6abb1fad1697fb1d15a450f6026b4b9cf91918a17ab0b6057cb3f5972c84aee36558d83f3c5a21120939eea2f650a9a11bbf344bdf66

Download Submit
memory/1744-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1984-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1984-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2416-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2416-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2416-17-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/2416-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2568-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2568-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing