neconyd | ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483

General

Target

ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe
Size

61KB
MD5

5e1f7996331d7c63d518437ed335f68b
SHA1

d4da47d3e22d3c6cecd81244223222f1e8b30e64
SHA256

ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483
SHA512

50c1ffcd2ffdcdd68cdb76c33a674e67d61a90b6c90b480b83771e33b830f2207d0e8281ac3b5abcc49343a07e65cdfbc0216c10fcdc42a96139b35674100a3a
SSDEEP

1536:Pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5:ndseIOMEZEyFjEOFqTiQmTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2400	omsecor.exe
2284	omsecor.exe
2932	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1628	ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe
1628	ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe
2400	omsecor.exe
2400	omsecor.exe
2284	omsecor.exe
2284	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2400	1628	ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe	30
PID 1628 wrote to memory of 2400	1628	ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe	30
PID 1628 wrote to memory of 2400	1628	ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe	30
PID 1628 wrote to memory of 2400	1628	ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe	30
PID 2400 wrote to memory of 2284	2400	omsecor.exe	33
PID 2400 wrote to memory of 2284	2400	omsecor.exe	33
PID 2400 wrote to memory of 2284	2400	omsecor.exe	33
PID 2400 wrote to memory of 2284	2400	omsecor.exe	33
PID 2284 wrote to memory of 2932	2284	omsecor.exe	34
PID 2284 wrote to memory of 2932	2284	omsecor.exe	34
PID 2284 wrote to memory of 2932	2284	omsecor.exe	34
PID 2284 wrote to memory of 2932	2284	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe
"C:\Users\Admin\AppData\Local\Temp\ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
658a0fe04d139271032b00759f62fbae

SHA1
ce481b427e7f8dd2437172768e127e68713177f0

SHA256
4bb11e9953f0e251701776c44628d7ac019846c92c77c90214e640aa7575b89c

SHA512
bd9da3f4db1c223c2a4dfb952fb93ba4546eddead198d3d122afff26309a23c73b7afa8076775e01f809beeb1b99d25719bd00ac24ac82993b11ab3c6f263e65

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
8cb3c839555c9e36c818a4c58f0c5d12

SHA1
d85e57ba93a861af56946952007d92936a6563f1

SHA256
22b1bdec83b83f802d410988c6ff00cadb7af761dc3fd44432e28928f5a682a2

SHA512
945df41c6e37725c600801612348d1e8bea6f05d82636f03e264aad3d3152ae836d3bf335eedc8371862f344f1a171c136e04c310da815cb321056635e3b1a2e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
11d87827d1596ab43a0036504419368f

SHA1
a50b070801f3b81db1c7e6d9580162755695b35a

SHA256
0a8e881886c00b9f059fabc467060a660366164400b3622f31cf2506a51f5d37

SHA512
826d6f21dc97bb53d1ab35e1a47fbbb20e8b77fdd69f9c811911909b7f2232ab4004f8457f58a6555a874cbe2fb4e7acbcdad533fa32768e1e9668e0315292e9

Download Submit

Analysis

Sharing