neconyd | 49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4

General

Target

49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
Size

33KB
MD5

493ff34e77901f716fab30569f3128b1
SHA1

34306b4a8a27bb745b8dfc769243cc762bd64c9a
SHA256

49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4
SHA512

16dbef0509ef3b4be44ab3e866b57fc4f782f2b9f280ee7e2bf000275adabe03fe9a7b76a9c7f4372aa7257f04237dfbeef676654fea95518f4bfd100d3b26ba
SSDEEP

768:KfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:KfVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2284	omsecor.exe
1532	omsecor.exe
1736	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2552	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
2552	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
2284	omsecor.exe
2284	omsecor.exe
1532	omsecor.exe
1532	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2284	2552	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe	30
PID 2552 wrote to memory of 2284	2552	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe	30
PID 2552 wrote to memory of 2284	2552	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe	30
PID 2552 wrote to memory of 2284	2552	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe	30
PID 2284 wrote to memory of 1532	2284	omsecor.exe	33
PID 2284 wrote to memory of 1532	2284	omsecor.exe	33
PID 2284 wrote to memory of 1532	2284	omsecor.exe	33
PID 2284 wrote to memory of 1532	2284	omsecor.exe	33
PID 1532 wrote to memory of 1736	1532	omsecor.exe	34
PID 1532 wrote to memory of 1736	1532	omsecor.exe	34
PID 1532 wrote to memory of 1736	1532	omsecor.exe	34
PID 1532 wrote to memory of 1736	1532	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
"C:\Users\Admin\AppData\Local\Temp\49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
f92fc5e0628606295f6cd606c22117ac

SHA1
44dc0ffaba50c24431bce011255103c07790c587

SHA256
5391afaadd073bee9decab8bfbb45a74dffe284d692c1e74eed880a17b4cc1a5

SHA512
aebbd0544743f923f38cb8e1c8592d75e31f4d41ec9a6276937a256e62e85f0d8900a5e04a6d59f9e55b3ad9907b72e4e19c4d94365eb2caf52492b24cc2bd57

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
5fab8586adcc45f36e40fc98c4d41e6a

SHA1
be9fde0c15902b5fa99949499a47e2655a75bbb1

SHA256
b0ea3ef603f97738eeaf23a82ea8e82d9d99cc4e99f808eabd5b0ee93d1d2887

SHA512
edf9a54936cd0fa32dc1c55a6d1bb79f24807436189b1d3344951bd48175e4db02c25bba0ed0d07ed45ffe4ba5e718718a24684e1c75e09f365627100f5c03be

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
7dad69d8c7a1b97c25ca558d752f02e3

SHA1
db8d9b744264c27866f92e6541ecab762b97b538

SHA256
dba1d8c7d7a7b004635e2fdc812a06ec99d196f4fd8298bc15e165f8c1fa26b7

SHA512
4cc21ef829c6dfb24120733e3baca5f7da653c8871e0e6ed28edfa11d92e3d3a57ebbbf20281090a84a0c7b95af8c77517b0f606db6c1cea0a82b1bc7fa80a20

Download Submit
memory/1532-43-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-45-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-25-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2284-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2552-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing