neconyd | 49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249

General

Target

49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe
Size

61KB
MD5

169e53955da79b097826d0f8eb991a20
SHA1

a009318f2e100d27a7485c44b6e27a7736c153f1
SHA256

49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249
SHA512

e4bbf2e264ad2b02011dc7d646d9a39cce6a5c1b2202cf96394152b503113af7823d105b1111b9f8e7c81037db00e81017e88a7c0ee8a3b6556034125064f3da
SSDEEP

768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:mbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2624	omsecor.exe
2024	omsecor.exe
2360	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
784	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe
784	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe
2624	omsecor.exe
2624	omsecor.exe
2024	omsecor.exe
2024	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2624	784	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe	31
PID 784 wrote to memory of 2624	784	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe	31
PID 784 wrote to memory of 2624	784	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe	31
PID 784 wrote to memory of 2624	784	49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe	31
PID 2624 wrote to memory of 2024	2624	omsecor.exe	33
PID 2624 wrote to memory of 2024	2624	omsecor.exe	33
PID 2624 wrote to memory of 2024	2624	omsecor.exe	33
PID 2624 wrote to memory of 2024	2624	omsecor.exe	33
PID 2024 wrote to memory of 2360	2024	omsecor.exe	34
PID 2024 wrote to memory of 2360	2024	omsecor.exe	34
PID 2024 wrote to memory of 2360	2024	omsecor.exe	34
PID 2024 wrote to memory of 2360	2024	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe
"C:\Users\Admin\AppData\Local\Temp\49a1bd2bc129adfa4924a07bef3ede610157f9fbf542b4e005375adb25757249N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
d97307c56c339fc23e21718d6b3cc502

SHA1
01dee6056f3d3b38494e45f463c2d45e903104d8

SHA256
fd5615088339079ca17e0c65a44546cc3457b9bbad35f0939a26c180cba21cd2

SHA512
c54e51ac091f5410cec43173d5fc31be15231d076eeb975e6455335c5c0adff5441c8ddb6250b5e8c731dca76746615009e5ccc9c66f473abef635ab679b7a6f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
9c6836f76b801472d8b4554da59be094

SHA1
07e7a01d5ac7f0535f9dce6d1f56bd9d67329059

SHA256
77b32a8913683f1d79c0f94f168fc0f5191dedb09cc19061df2f649d801c2e17

SHA512
f6cdea8c226cfb1956b5cbf375c209dc55021a4cabcbaca99fecd5a5481004297f905e4633be4a981a8c52c537e02556cebd7f15f4eb3be6a326b23dde35f57a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
6d54633356ef87ba1781fe73298a7a1a

SHA1
80221968109ed5e636894ae26b3ea04bf6c969c2

SHA256
3e335e96efddc0016b49e7c1c2447a6578f035407fa783898a7774c7bb6f4f58

SHA512
016f4e33e6be166e63367b5dd32f325535c0da1758a8675fa2abecd7291d53e3a77e49612249c4ef4a0c05e79d278db4fdddcc4cff0d74e78484969f277c7829

Download Submit

Analysis

Sharing