neconyd | 7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1

General

Target

7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe
Size

62KB
MD5

ebf9df8b042d4a4a335db2438f8782d0
SHA1

573b4d6140f3ba093a03fa1fea0573e6b66ebfc0
SHA256

7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1
SHA512

779ebbf4c0f40af33b66ff881a3aeab984af7ba2b3d6c52599dfa5beddf2820265382f5c2035b6d7030ffd5a958ef4fc289c62f8e6f8c7d0301e5aa0f904d58e
SSDEEP

768:EMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:EbIvYvZEyFKF6N4yS+AQmZtl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2940	omsecor.exe
2116	omsecor.exe
1236	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2768	7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe
2768	7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe
2940	omsecor.exe
2940	omsecor.exe
2116	omsecor.exe
2116	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2940	2768	7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe	30
PID 2768 wrote to memory of 2940	2768	7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe	30
PID 2768 wrote to memory of 2940	2768	7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe	30
PID 2768 wrote to memory of 2940	2768	7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe	30
PID 2940 wrote to memory of 2116	2940	omsecor.exe	33
PID 2940 wrote to memory of 2116	2940	omsecor.exe	33
PID 2940 wrote to memory of 2116	2940	omsecor.exe	33
PID 2940 wrote to memory of 2116	2940	omsecor.exe	33
PID 2116 wrote to memory of 1236	2116	omsecor.exe	34
PID 2116 wrote to memory of 1236	2116	omsecor.exe	34
PID 2116 wrote to memory of 1236	2116	omsecor.exe	34
PID 2116 wrote to memory of 1236	2116	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe
"C:\Users\Admin\AppData\Local\Temp\7565aa5ce8b7e1dff625ff07a018d969d4adf27331e90745ee7364bf304da0d1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
b18a90f626ec086cb7ac8a29b7ce673c

SHA1
d0b50bff342405b3a69b108bf67c5450208b1202

SHA256
da85f6411ca12f1763b2547d2a2eaa5448b62792afe01266b7327b410f7c6ce0

SHA512
caf6297684f51104f12329eb93ca898bcc60a6db06e5a636c514b225697b57f923f50be1aaba34048ec191b56871a1b512ad3f092514f66134e7061460837829

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
0de9f6a0af1d6cf193c652e72dfb43ef

SHA1
f4b4ccd1daa9504bece41fd8898d4d2f62c008de

SHA256
fc68b15b5d2e392e99513af6ef3729efc5862f0b89135a0d0692d3257d76d116

SHA512
fd6266a1bbeeefbc855efe6862212f0030b48235a0ab02fb197b74ca95d0d6d6c7572242391b1c49432714c2f6078930f40c634123c0a535228a3f7cf69a4b62

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
4bd46b38a179c03d2af646c7f7e2c238

SHA1
cb9abf7eda8941f645e9bffca272fe44b75710b1

SHA256
9e7cd88743e9b6f534fe10bd3315a6f415ccf9c3a6caf5304886db5b38d63717

SHA512
9cd501b3eede192a3e24dde7c85736de3daa64ee75d6e6ba463694b79792b367f24004036c01cb1df37bfba80b34b5eb873f2e4e54ddf9709ff0dcb1fbc039fa

Download Submit

Analysis

Sharing