neconyd | 45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5

General

Target

45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe
Size

80KB
MD5

913fad08ef1c4bdebe83ede6977c983a
SHA1

caaeb213da9960d6fc267e18005a986196b2da3b
SHA256

45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5
SHA512

4e423e470f9738725a558c184f401a0b9e656b2d50e86e38da94c63d4db1e0ab229e9ca6860bdbbe1f55c6fc76090ff6dad5ce849d7d40045a196fd46874fb41
SSDEEP

768:nfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:nfbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2520	omsecor.exe
3044	omsecor.exe
1484	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe
2336	45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe
2520	omsecor.exe
2520	omsecor.exe
3044	omsecor.exe
3044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2520	2336	45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe	31
PID 2336 wrote to memory of 2520	2336	45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe	31
PID 2336 wrote to memory of 2520	2336	45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe	31
PID 2336 wrote to memory of 2520	2336	45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe	31
PID 2520 wrote to memory of 3044	2520	omsecor.exe	33
PID 2520 wrote to memory of 3044	2520	omsecor.exe	33
PID 2520 wrote to memory of 3044	2520	omsecor.exe	33
PID 2520 wrote to memory of 3044	2520	omsecor.exe	33
PID 3044 wrote to memory of 1484	3044	omsecor.exe	34
PID 3044 wrote to memory of 1484	3044	omsecor.exe	34
PID 3044 wrote to memory of 1484	3044	omsecor.exe	34
PID 3044 wrote to memory of 1484	3044	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe
"C:\Users\Admin\AppData\Local\Temp\45b177565c212ea94ba9757283bbd2bf96c5bce3f15c64284dc256a4836f3cf5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
1eb409ab7ef277bc2f4f2cbd23be9ac7

SHA1
9d4df95c0596ecd3b8892beab8c32006de62c7a3

SHA256
931bef11987a753c2330b3775756dc5bbded03bab55913fdee89398f6b87bd5f

SHA512
c29e0f145648d2ea9fb25b86fbed1181d71d7a9b11e0b586ed24c4db57c910d70a3e1d42ebcf4fd2d7f69c9e894753598b552a6177a82ca2d0a84d2a5b4ca65f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
3d32a2633c835a27b990596c1977d0ac

SHA1
de2a221292a8632489616bb853919ca4bf609ea6

SHA256
0ec0f6e74dc64fee2f060099ad9e2196f24efa63a388abe362ce750249fcc028

SHA512
61229632c374c0e760208e4a485a9101a471cfa866cdf65f46c25cc056411acef9be2e4fc86e0b0431b94087d8d7b9db81ed513a301daf9fc9b8568862de55e6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
eed5445544ad6e24b27c6babb14f8c6a

SHA1
6b27e372b520976ac5675b4071f5f25c434f7d57

SHA256
a49fb20436dd08104dd4ce99f1c13051513c9569c7e9cdad6e0dfa91d18d1b46

SHA512
cb259e8a489a56700bdee3a3ca93384e7b6c78558ed23b7c7f1b41427fc1b5983de112566cbf9a02f50127b784939a21c9a5891c6e3ecc57c6eba5c5b1e41fbb

Download Submit

Analysis

Sharing