neconyd | 469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c

General

Target

469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe
Size

80KB
MD5

2209e6abb473b890cb413f8a02d969e8
SHA1

370459728393e67bb3416dd7f418613699b9ab92
SHA256

469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c
SHA512

4dcd5aca3fe607a66b4628ca550a6dd697150b81f24a58368855662e99ffc29419b33766a2c98b89d8c629803fbefd4054f3015af52f15ed34a1f3341e7a4a86
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:kdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2508	omsecor.exe
1380	omsecor.exe
304	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1804	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe
1804	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe
2508	omsecor.exe
2508	omsecor.exe
1380	omsecor.exe
1380	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2508	1804	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe	30
PID 1804 wrote to memory of 2508	1804	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe	30
PID 1804 wrote to memory of 2508	1804	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe	30
PID 1804 wrote to memory of 2508	1804	469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe	30
PID 2508 wrote to memory of 1380	2508	omsecor.exe	33
PID 2508 wrote to memory of 1380	2508	omsecor.exe	33
PID 2508 wrote to memory of 1380	2508	omsecor.exe	33
PID 2508 wrote to memory of 1380	2508	omsecor.exe	33
PID 1380 wrote to memory of 304	1380	omsecor.exe	34
PID 1380 wrote to memory of 304	1380	omsecor.exe	34
PID 1380 wrote to memory of 304	1380	omsecor.exe	34
PID 1380 wrote to memory of 304	1380	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe
"C:\Users\Admin\AppData\Local\Temp\469a77e3f5fef3c474a7acc25c4f55f62d4272574ae293ebc9a7fee2db15fe4c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
08a91421de52d7aff43ce28ee9ea2721

SHA1
cf3202829f6678810fca4ea2ecc3a5a10e4dd69a

SHA256
0dc6de50b5ac9513ab79a6b4625bb7e4ea5ea9146915eb62e73943e21471eb8a

SHA512
77be253d264591f760b8eff5b8c2037577b653999abfe031e9f20f585da8ee00443a3110d13cd0e7858cf4637d2d73e93ba952549bcb2b20404f6cc9041d6c9b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
07d9b0ecaf47317cc30b4941dbe2c44e

SHA1
ca59db74b49e14215c01e1bf3a396626018a261e

SHA256
3a58477e0b10e1fe4940226333100a673c6aa034753d5cefbb920046c9315c3d

SHA512
3ee698e638bcec592ca2402e778bd262324b2cd32e59cbc7371a8d8727bfe16af255c81a72a094393a85e2f1ebd688ef63e95e02ed931754e86e0fcc286ac1be

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
77c6d5fc8ea45270b17d063cb5aabda7

SHA1
1d26a80dfcc76c2d9a465e6e7135993d53fc36ee

SHA256
0310a14d0d2ed94321ca760628f1cb46069d0b894ee6dba345d46ff3a6122b98

SHA512
7cdbc19529de6832f679ec185c8793f26ce8d824d897f33971701373c1b6d77f62e824840a804aff8e46affa3cd144c192949ad0371a0fc139a035a00f800c9f

Download Submit

Analysis

Sharing