neconyd | a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6

General

Target

a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
Size

80KB
MD5

069dad5b8bdad12163efc02202980084
SHA1

8f78016b6151df0adea2e245dcfeb695bc8489aa
SHA256

a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6
SHA512

c534c87d37c992de852caa3282d6bc1fac257a7bbef293c644d0e93bc20423b2cfd180d822321967a90dfe646528728a6f86e7b50af6e063f27c872c7f4cde9c
SSDEEP

1536:ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:6dseIOMEZEyFjEOFqTiQmOl/5xPvwX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2520	omsecor.exe
1608	omsecor.exe
1980	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2696	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
2696	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
2520	omsecor.exe
2520	omsecor.exe
1608	omsecor.exe
1608	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2520	2696	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	30
PID 2696 wrote to memory of 2520	2696	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	30
PID 2696 wrote to memory of 2520	2696	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	30
PID 2696 wrote to memory of 2520	2696	a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe	30
PID 2520 wrote to memory of 1608	2520	omsecor.exe	33
PID 2520 wrote to memory of 1608	2520	omsecor.exe	33
PID 2520 wrote to memory of 1608	2520	omsecor.exe	33
PID 2520 wrote to memory of 1608	2520	omsecor.exe	33
PID 1608 wrote to memory of 1980	1608	omsecor.exe	34
PID 1608 wrote to memory of 1980	1608	omsecor.exe	34
PID 1608 wrote to memory of 1980	1608	omsecor.exe	34
PID 1608 wrote to memory of 1980	1608	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
"C:\Users\Admin\AppData\Local\Temp\a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
1a499116d25692f1906357e558167ad7

SHA1
64040bb4b7efbba535604c6e0a63ff061a143553

SHA256
82c15929ac0cb6bda7e4957ef9703b3e182dd6bc69c846c81c79ef25f9292bd9

SHA512
bb00477a72276bb91af7f0deac8bfc1ea1ba50979da80ae0af0dbf13002c777898ed7f56f4f77602aea16ec73b4e4394368cb0ed165570d7595123de3f38cbdf

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
6ed4697d2be56fdcac737d2a31d1a236

SHA1
7b33f9fc8eb7aa574cb7ef3cb6b24bfa2bb92d6b

SHA256
5cd88b65747bbdf6fac0ed3cccfdf607dc701eaae736a619c3780029945c52f4

SHA512
6ebaefc4d91b520d80db9572f1772a92752ec5ad63f30992fd9bd6f2fc45f03b2388cd19ac59e7c2b86db83ac9332d0d7628288f7a477bd8528dfe42b47475e7

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
608b45248f54a8edd9ec33d6fb314198

SHA1
0dcf6a6f0677924e5d7b5330c48b92cf7b03da93

SHA256
725ca637377cf3c4e9e87bfa5a41ff6f26fe0de4f39902a80128ce28202a0e27

SHA512
11a7fe942f82642c5484bcb2681b677d5f8515240165dac9ea801aa1aecb0da38389de3d4af855b6cccbe3bf92eec6d87bb37d6b2a0bde0ef95a49c75ea406bd

Download Submit

Analysis

Sharing