neconyd | 51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec

General

Target

51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe
Size

72KB
MD5

049420ef9cd7519cca3e7b4ef872ba11
SHA1

99d71c4fb1a25113dacc590ca25af52cf534217b
SHA256

51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec
SHA512

e0fef17b7f58687e8b127f3e4e0cd8d5af5c4e42df154a37d36410305ac23ac8e939aab1ef1e653d53dad50287615bfc48ac6f8e97bf8a3105736383e7e50b91
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/52111:XdseIOMEZEyFjEOFqTiQm5l/52111

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2340	omsecor.exe
800	omsecor.exe
2580	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2288	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe
2288	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe
2340	omsecor.exe
2340	omsecor.exe
800	omsecor.exe
800	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2340	2288	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe	30
PID 2288 wrote to memory of 2340	2288	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe	30
PID 2288 wrote to memory of 2340	2288	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe	30
PID 2288 wrote to memory of 2340	2288	51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe	30
PID 2340 wrote to memory of 800	2340	omsecor.exe	33
PID 2340 wrote to memory of 800	2340	omsecor.exe	33
PID 2340 wrote to memory of 800	2340	omsecor.exe	33
PID 2340 wrote to memory of 800	2340	omsecor.exe	33
PID 800 wrote to memory of 2580	800	omsecor.exe	34
PID 800 wrote to memory of 2580	800	omsecor.exe	34
PID 800 wrote to memory of 2580	800	omsecor.exe	34
PID 800 wrote to memory of 2580	800	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe
"C:\Users\Admin\AppData\Local\Temp\51c684b237d58f6ebd59af80bdc9521ebf1541e4e1324b9ee9faaffe09bb44ec.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
f9bdc3a6a929be58d386ed98f5af9afe

SHA1
3a169151a41e78ed51a5ff72eacb5e4b7df4dda2

SHA256
6d07187eb19eac6c77d22c34f2b09907f2aa4986879ff560c273a36524abbea5

SHA512
a479ae7f53b793d6fff33eef9d68c5624610e7ef6acc5eab367d51da63d0153860599332b63e12ba1ba55e5d5c8db2c319c3696237256eb6048b81d03389fd84

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
62ae4fb6b7d767829c162a3db364ec6d

SHA1
247a0ce323cfd9c91bcd54da90cea7e0bc4363c0

SHA256
d4f09eb293ece5cd91d773ed1d6b8e061a53ca0d4c407a99f3956060753b8df6

SHA512
2ce44fd742d78f33434753f74c8cfdce7b2651f951d4d66d29873ee3c50bc09199aad52695bfb289c86aae4a3621af03643b7d6df86b5bf896c93ed7bf9b4037

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
dea66aa8e90b1fe86bd5ee474dcc6628

SHA1
606db2881c1f242c345714b5ec83912d1a2de6f5

SHA256
4f1113f9c09844eb079d4e0c3d662110c3406910c431cfa99e621f6c6cce1544

SHA512
b17178c4f9badc32cf1644cdb87880417d72dd4f53fd91496dd0f14f744f371632f7f5e2674ea86d6146b07403de52509c75eae7ca74c150866aa923b61e0f7c

Download Submit

Analysis

Sharing