neconyd | a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6

General

Target

a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
Size

80KB
MD5

069dad5b8bdad12163efc02202980084
SHA1

8f78016b6151df0adea2e245dcfeb695bc8489aa
SHA256

a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6
SHA512

c534c87d37c992de852caa3282d6bc1fac257a7bbef293c644d0e93bc20423b2cfd180d822321967a90dfe646528728a6f86e7b50af6e063f27c872c7f4cde9c
SSDEEP

1536:ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:6dseIOMEZEyFjEOFqTiQmOl/5xPvwX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2556	omsecor.exe
2032	omsecor.exe
1940	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2328	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
2328	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
2556	omsecor.exe
2556	omsecor.exe
2032	omsecor.exe
2032	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2556	2328	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	30
PID 2328 wrote to memory of 2556	2328	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	30
PID 2328 wrote to memory of 2556	2328	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	30
PID 2328 wrote to memory of 2556	2328	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	30
PID 2556 wrote to memory of 2032	2556	omsecor.exe	33
PID 2556 wrote to memory of 2032	2556	omsecor.exe	33
PID 2556 wrote to memory of 2032	2556	omsecor.exe	33
PID 2556 wrote to memory of 2032	2556	omsecor.exe	33
PID 2032 wrote to memory of 1940	2032	omsecor.exe	34
PID 2032 wrote to memory of 1940	2032	omsecor.exe	34
PID 2032 wrote to memory of 1940	2032	omsecor.exe	34
PID 2032 wrote to memory of 1940	2032	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
"C:\Users\Admin\AppData\Local\Temp\a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
1a499116d25692f1906357e558167ad7

SHA1
64040bb4b7efbba535604c6e0a63ff061a143553

SHA256
82c15929ac0cb6bda7e4957ef9703b3e182dd6bc69c846c81c79ef25f9292bd9

SHA512
bb00477a72276bb91af7f0deac8bfc1ea1ba50979da80ae0af0dbf13002c777898ed7f56f4f77602aea16ec73b4e4394368cb0ed165570d7595123de3f38cbdf

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
d4150bc4212f27428b3e78eda9003219

SHA1
67efc5f75d7a3daddaef8fbb010b61c6592d36f2

SHA256
6a4e70dee5c29ef246594f157053dd59621f81ec80dfadf5d21a8655ffa45998

SHA512
2317612d5a4c31570234adb9b22d512d45808c0b56f5a21563ce7dcc62560155ed8f019a0ce9868adb33f0df55161aa08b08004c5f21a5515dcfc49c38da0986

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
724619cb21318df1a9d410108e7b6dd7

SHA1
07210315aedcaf6cd7d44ad4c19b5b7ece26f6e2

SHA256
0e3e3c88875b7e4f66a1cf578cfc60dde723f4a7435fefe159134f43b4581c11

SHA512
0eec84f35dfa7091d652a46348a474ad7828bfeea93c4fa71a59c03245335dee8c2020f5152f0567c0be11e704901f4e6d8680d6d08a2f5cbcdc02f508242731

Download Submit

Analysis

Sharing