neconyd | 54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bc

General

Target

54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
Size

72KB
MD5

6fe48d5c17a51a1e1cdc580929ecf150
SHA1

4a9ef6964981bc925abaa5b71acba37ef701dc63
SHA256

54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bc
SHA512

f6343572658a44f6df4ae82ac8bd0804130baeb5621e3cafa8c6388e52dce08709f569f7aebdb2887c601d0a05a6ae4875d66c9c650e271cfb7c20b6150a3451
SSDEEP

1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:JdseIOMEZEyFjEOFqTiQm5l/5211v

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2008	omsecor.exe
1708	omsecor.exe
1116	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1948	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
1948	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
2008	omsecor.exe
2008	omsecor.exe
1708	omsecor.exe
1708	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2008	1948	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe	30
PID 1948 wrote to memory of 2008	1948	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe	30
PID 1948 wrote to memory of 2008	1948	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe	30
PID 1948 wrote to memory of 2008	1948	54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe	30
PID 2008 wrote to memory of 1708	2008	omsecor.exe	33
PID 2008 wrote to memory of 1708	2008	omsecor.exe	33
PID 2008 wrote to memory of 1708	2008	omsecor.exe	33
PID 2008 wrote to memory of 1708	2008	omsecor.exe	33
PID 1708 wrote to memory of 1116	1708	omsecor.exe	34
PID 1708 wrote to memory of 1116	1708	omsecor.exe	34
PID 1708 wrote to memory of 1116	1708	omsecor.exe	34
PID 1708 wrote to memory of 1116	1708	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe
"C:\Users\Admin\AppData\Local\Temp\54a91bba6f8f6018724b9e0f106450057164d0730d979d992a61f25d49c936bcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
decd33de0b63b67571294e4a88b2cefc

SHA1
cf09cb32e9b26448bafb5d3686da73ad5bfcd502

SHA256
43d3e2ee9057a7588fb9511092d35a44974c5c54fdf1ff6f23e1d0acfd3231a3

SHA512
0d1a5cec2485c107fd84d54fcab534d5288eacc2d5a7c3fad00adfe6a290538486b0263da315a1467217b8506f1887b3360ec114328d67f9eddec7c6562dc117

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
b1d73018087b94b6b79574a770a1e85d

SHA1
cf54ccbc4b04a49e2dc7126d5267dbd6700c6975

SHA256
f58f47cad8a9d8eb8bdae6253081490bde34046fdbc966b3ffa5c1c51a508c50

SHA512
7492d78c2a2e61b3fc94c0780f88f0cfc0e51596e9c53111cba6e3af1faa403269dbdd247e80ed4de989152c3f5eff22fef812099c1f957f5e8bf10efed11f15

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
e050c36c631877f70478d3dee19e1f90

SHA1
ade9528200d18a9ffc81960061921a9ee3bced07

SHA256
c654099928ed37d1684fb2eec81d78bbac20d419de0d2292b1ef614fc1404890

SHA512
3f4fa826f1160da2a8c4d6fd8d35c69b8fbe0ef8e05453f161f3d207ad87bce44d530663950ac287757af808ab483ca54b23ebad3a62e319f6f0915c73b9adce

Download Submit

Analysis

Sharing