neconyd | 4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2

General

Target

4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe
Size

61KB
MD5

94b4fcf1ef3bbdd5cdc759637cb3ab51
SHA1

99048ab86c5b712ceab0e8e3a735025df0823fa7
SHA256

4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2
SHA512

e942872a4dc15d54f9f3d43e704efeb52918dc84933e6b93956e2e480c11d8ff372b632fb1a2fe73453fe0c733e912f14c0046999d50ac7f0c54f3132cd87452
SSDEEP

1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZil/5:zdseIOMEZEyFjEOFqTiQmcl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2760	omsecor.exe
2928	omsecor.exe
2748	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2648	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe
2648	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe
2760	omsecor.exe
2760	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2760	2648	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe	31
PID 2648 wrote to memory of 2760	2648	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe	31
PID 2648 wrote to memory of 2760	2648	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe	31
PID 2648 wrote to memory of 2760	2648	4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe	31
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2760 wrote to memory of 2928	2760	omsecor.exe	33
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34
PID 2928 wrote to memory of 2748	2928	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe
"C:\Users\Admin\AppData\Local\Temp\4b432d7bb10444693c48e9402d325a7e7430c71989fbc0e0489442ce7b20c5c2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4b77265990d905fbcb5891e6f09f1c50

SHA1
5b9c03d0c44685667689b9dce403a0a370800279

SHA256
75878476051c0729c8ff64dfb7d76cf7c54a52a1422ea96cbc75a47fd63d2ca1

SHA512
c53e0289a6acd5977936cfdfaa9e07ef10028af4d67d37ab4900e8b0db639538cbdab71681c8df35c1acc3912d78b6d1707c1edc80eedd7bc9d40228ced1754e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
16fd3fd41a98d55f1c630bda9450d129

SHA1
648b4190d34890f5a82fc9d7a431cd36c3f6bc9c

SHA256
766ad312d46447bf783113f04d45b8efe29c9872204e145dbf423368f33f1e01

SHA512
f3aa3900c6056a7d29bae0c5f72224d0b7808803f1957d6829de1d87b1ab6a8c8af746bfc0b0bcd9b445414e04e52b5040a924515559ff29ffe5a05d20ac2049

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
3cef8f6a9fcf9b605f07211d7401fd69

SHA1
f717907a7668360e997f720e0917cd14e265af58

SHA256
9a1a45e9241ced074c8be350b84c6b89f4e37686fc2009e7f157d001593a74e6

SHA512
988d1e46dc2d03124c7b0e7757b196b0147b02af03a149b2c9aa19cd9b399492d0115fd3a8305c5ed463e9dbcd8ac6a17ab76adf19dbfe2d7eba2cbc54d71bdd

Download Submit

Analysis

Sharing