neconyd | c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8

General

Target

c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe
Size

76KB
MD5

19fb34656367c228177bb9756f05b542
SHA1

9cd65ca143beeae72523cc52290dc836c9f3ae8f
SHA256

c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8
SHA512

8a732549841a29b995b1f9933058d7e1f9d2db59e4a37a0511b1c8d7d0c9348f84c0c444e744734ce1738f57caea40002e441af345d829c21888e18d08904a38
SSDEEP

768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:VbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2412	omsecor.exe
2592	omsecor.exe
1732	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2092	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe
2092	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe
2412	omsecor.exe
2412	omsecor.exe
2592	omsecor.exe
2592	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2412	2092	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe	30
PID 2092 wrote to memory of 2412	2092	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe	30
PID 2092 wrote to memory of 2412	2092	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe	30
PID 2092 wrote to memory of 2412	2092	c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe	30
PID 2412 wrote to memory of 2592	2412	omsecor.exe	33
PID 2412 wrote to memory of 2592	2412	omsecor.exe	33
PID 2412 wrote to memory of 2592	2412	omsecor.exe	33
PID 2412 wrote to memory of 2592	2412	omsecor.exe	33
PID 2592 wrote to memory of 1732	2592	omsecor.exe	34
PID 2592 wrote to memory of 1732	2592	omsecor.exe	34
PID 2592 wrote to memory of 1732	2592	omsecor.exe	34
PID 2592 wrote to memory of 1732	2592	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe
"C:\Users\Admin\AppData\Local\Temp\c551a3c2441a770a549bda2ecb8a1dd9b4e057ee507640ae9d15dea3c2fef1f8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
af9faf37b3fb1227c55192a00dd407e1

SHA1
7a051f67decb195dbb0f0e2ca98c404160180d66

SHA256
69780a2586abadfa7c6d1fd65cab655f50f59842fbe34cf35ee3f06d5b4d2d96

SHA512
bd85c5ce9cce6a923660fcbed78842b89c2c45926ef08abf74cfd5ba4d0359f2ee8757925303d700b498df2374aee4fd6643276844470409d4ee02df83b90752

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
43cb023f7647c69acf00c70c34170f24

SHA1
e855a11608ee0c5f8d2a80e98e66557dbbd783fc

SHA256
c471bf99bc66cab0b3af52e963d22faaae377ca567f46ef802ef620e7db9dde6

SHA512
7a80bd8ef01a551247998e151cd223b2acc3b099ce281038ee5ad5bf8db68d27f1e8ecbcb65200519d778b5cd7b361c7b04c8e1897accc434002e0af1630be89

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
93ae2c780792b4ee709c766e0afd699b

SHA1
4bf9d837b983b35cdff1c1fc18513a533ca34a09

SHA256
46fd48c58464e090a73da26e41430bc0a0a0ac65cd0aa745472a7a028fc8be9a

SHA512
b0c4bfbc8a2203d021dded9a4fe0cdee456dfe8de0d1f6eecabec950e1f2156ba14a6d88cf3d29bd1a76d7ce236bd9ab001ab9eaaf21ea3fd27227b12b7767b2

Download Submit

Analysis

Sharing