neconyd | 45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9

General

Target

45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe
Size

88KB
MD5

73a2ffa70e42ef92001b48d19f303290
SHA1

1fdb6315973a91a139dcac8f64502a5dd60ded6a
SHA256

45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9
SHA512

7bf64747cec0bb908c70d58273c1076c508c870f32383d85fd5eaf233b10e1504d59eb7ee80d6b0c00f380877e11564e4bf6b82958e9c1984f754fa627f04cdd
SSDEEP

1536:qd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5z:qdseIOMEZEyFjEOFqTiQm5l/5z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2660	omsecor.exe
1596	omsecor.exe
1876	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2084	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe
2084	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe
2660	omsecor.exe
2660	omsecor.exe
1596	omsecor.exe
1596	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2660	2084	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe	31
PID 2084 wrote to memory of 2660	2084	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe	31
PID 2084 wrote to memory of 2660	2084	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe	31
PID 2084 wrote to memory of 2660	2084	45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe	31
PID 2660 wrote to memory of 1596	2660	omsecor.exe	34
PID 2660 wrote to memory of 1596	2660	omsecor.exe	34
PID 2660 wrote to memory of 1596	2660	omsecor.exe	34
PID 2660 wrote to memory of 1596	2660	omsecor.exe	34
PID 1596 wrote to memory of 1876	1596	omsecor.exe	35
PID 1596 wrote to memory of 1876	1596	omsecor.exe	35
PID 1596 wrote to memory of 1876	1596	omsecor.exe	35
PID 1596 wrote to memory of 1876	1596	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe
"C:\Users\Admin\AppData\Local\Temp\45471ca56bdb1255ad5ff2779fc49985f6862614245e8bb5117b030f146397d9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
9e9712f490d66cc0db854df20815b376

SHA1
0dd839d84dce8ed4a82c35364964af516c7bf5f5

SHA256
d3c3c6f82c005a4cb8e2587dd30ae5faf411a5f61019d8525f8b18ee734ca8ff

SHA512
231117fdb786abf30fe356a5cc18e7e618e715bf802a23afe239532299498c47f03d18bd2a665f4bec91e4d59355bbb9eb6a65124663796d3eb1c10e84c63e19

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
ccd55da72f03ca6f05f6e39bc84f9040

SHA1
1cc7304aca1096166d5f0e8b7746977cb42e33a3

SHA256
6f6bd08783e90e4999c38f71991a8153826792a4b5d161e0d7b8227578c193e1

SHA512
26dece540358edfd568b300484b057a2c2d908dbc90df0a0317496b49b335acebe1fdf50112e3d8f178ddbeef9db3cab31f2598049dadb002182b0a1c23c1640

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
554c87a9dde59f7afbbf35c7dc90b185

SHA1
07c82edce44dfa6505b5f8edd6ae3f4a485f7a34

SHA256
88d3e1e2bc92dac94518f669a35a12e848727ba9268a8d0e01c8f335ca68faec

SHA512
4f0380f6f494c494159e557c19a62d75f1748d6ed47977c8b06d23de4cf66c228e5fb3529c5d77f3a431278194732b93666de7ae2199bdb0365055ebdac90786

Download Submit

Analysis

Sharing