neconyd | 49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4

General

Target

49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
Size

33KB
MD5

493ff34e77901f716fab30569f3128b1
SHA1

34306b4a8a27bb745b8dfc769243cc762bd64c9a
SHA256

49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4
SHA512

16dbef0509ef3b4be44ab3e866b57fc4f782f2b9f280ee7e2bf000275adabe03fe9a7b76a9c7f4372aa7257f04237dfbeef676654fea95518f4bfd100d3b26ba
SSDEEP

768:KfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:KfVRztyHo8QNHTk0qE5fslvN/956q

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
448	omsecor.exe
2212	omsecor.exe
2184	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 448	2756	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe	82
PID 2756 wrote to memory of 448	2756	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe	82
PID 2756 wrote to memory of 448	2756	49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe	82
PID 448 wrote to memory of 2212	448	omsecor.exe	92
PID 448 wrote to memory of 2212	448	omsecor.exe	92
PID 448 wrote to memory of 2212	448	omsecor.exe	92
PID 2212 wrote to memory of 2184	2212	omsecor.exe	93
PID 2212 wrote to memory of 2184	2212	omsecor.exe	93
PID 2212 wrote to memory of 2184	2212	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
"C:\Users\Admin\AppData\Local\Temp\49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
29042b787fc7ba8ab359de83a9836119

SHA1
036a1efae29053fcc96feb0f2e5f82cc7299d5c8

SHA256
1c2dbdcbdd70b4a927d6ac2ab30117a20cafdcaf9cfb00a832d1fee917f869bf

SHA512
80006757ef5ce49e8f1bfc62d01ab6b9219b85f34e578238ff3d55d3f4301884491b070e02e8b473f223689ddc59af351f05cc9f9b13f094b869cead44e44206

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
f92fc5e0628606295f6cd606c22117ac

SHA1
44dc0ffaba50c24431bce011255103c07790c587

SHA256
5391afaadd073bee9decab8bfbb45a74dffe284d692c1e74eed880a17b4cc1a5

SHA512
aebbd0544743f923f38cb8e1c8592d75e31f4d41ec9a6276937a256e62e85f0d8900a5e04a6d59f9e55b3ad9907b72e4e19c4d94365eb2caf52492b24cc2bd57

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
ab67f219e57e9907f75cd9be17d9e81f

SHA1
cdddb9def328a0a5942df44b16e4d915ec4f9f10

SHA256
f10566fc010052b0eed8d8fd073649f83f67dffcaf3affb41bfb308ec8bb8278

SHA512
2a610f94f34fdf5be2bfb6aceef3f654a46c87274eec2a6a750c8afb30e772f7110e32ca7774c66c2cb545224c858f2aa2054ec3e463d9397cc2dc29a6194429

Download Submit
memory/448-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/448-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/448-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/448-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/448-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/448-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing