neconyd | 47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6

General

Target

47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe
Size

61KB
MD5

8b3e6e6a31fb8844e093e4cd4921895a
SHA1

427f5a5d8e5ce3a2c6526c19cbc07a5c7db004c9
SHA256

47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6
SHA512

f300b4c2249658c1a403bf8e6210b70bfc8e449d1461424d0a6b0b3fac5c9d96f21ada30817977f563237554df353ac2d50441edd0d670c8432e07df12f5daab
SSDEEP

1536:Dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ1l/5:jdseIOMEZEyFjEOFqTiQmXl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2064	omsecor.exe
2612	omsecor.exe
2028	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1924	47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe
1924	47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe
2064	omsecor.exe
2064	omsecor.exe
2612	omsecor.exe
2612	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2064	1924	47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe	30
PID 1924 wrote to memory of 2064	1924	47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe	30
PID 1924 wrote to memory of 2064	1924	47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe	30
PID 1924 wrote to memory of 2064	1924	47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe	30
PID 2064 wrote to memory of 2612	2064	omsecor.exe	33
PID 2064 wrote to memory of 2612	2064	omsecor.exe	33
PID 2064 wrote to memory of 2612	2064	omsecor.exe	33
PID 2064 wrote to memory of 2612	2064	omsecor.exe	33
PID 2612 wrote to memory of 2028	2612	omsecor.exe	34
PID 2612 wrote to memory of 2028	2612	omsecor.exe	34
PID 2612 wrote to memory of 2028	2612	omsecor.exe	34
PID 2612 wrote to memory of 2028	2612	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe
"C:\Users\Admin\AppData\Local\Temp\47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
9b93cb32d5abb4fbbffeea1403a06899

SHA1
a093778e2467792f181f29ae8a8090591708e910

SHA256
26b8f74802b7a1bc04f75a1a148c703092a3e62b55d11daa91b4d43436ac4752

SHA512
e9679c27059ffcc5e603e51629aced63caad463625caa8ab9f36b2e4965fbe76d2bfebaec604dcf6008cc6dc81a90da5cb102c1f1e1f3c3a6d595f6066852c70

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
0c026d705b2d72ed87eb558cb9258c90

SHA1
b661dd6b7f805cd8647d90dbe01c9989d84422a5

SHA256
9dc04a95bb4b0d935a80f79ccde71f64429f0dedbf58688ac0f6cccc01f6e4cd

SHA512
13c70278df836812c8a0c22e3103f79647d66b55d9a3fc71caf87e40287e4b424ca97b512042297e686647ce1987d54c856bed73285021c01f030f8acf3b019c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
094f8c59236404e0d146e2c58f9b3bf3

SHA1
153e593e4166a96579e107ba23f461ed62d7db56

SHA256
efb6b4f8a6239c8e071f39d4f4060f279457fd01008afe8139862e77ec6dfbb6

SHA512
796f66aa255782810ec7ff0a2e5b23018b1f39d475ffee87a40435f528f66218e447d1a3ec5c79c672b42b3ab2d50f93252c609b5b2f05532b222bce16a987f9

Download Submit

Analysis

Sharing