neconyd | 7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24

General

Target

7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe
Size

88KB
MD5

f09c5befab2a46f95cdaf3621e20a5fa
SHA1

12a837441fea6d04e24d3609ed906167bb0b37eb
SHA256

7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24
SHA512

f96d9065f4c98f52ce6d31261498ad2b3c1da84fa05d66510e3002f7605387fc8319e2a5c6068e8fa8bfe76c4d6cedfc6906f465d0247ed1d07bf536c18b3a46
SSDEEP

768:ZMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:ZbIvYvZEyFKF6N4yS+AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2536	omsecor.exe
1480	omsecor.exe
1960	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1668	7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe
1668	7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe
2536	omsecor.exe
2536	omsecor.exe
1480	omsecor.exe
1480	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2536	1668	7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe	31
PID 1668 wrote to memory of 2536	1668	7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe	31
PID 1668 wrote to memory of 2536	1668	7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe	31
PID 1668 wrote to memory of 2536	1668	7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe	31
PID 2536 wrote to memory of 1480	2536	omsecor.exe	34
PID 2536 wrote to memory of 1480	2536	omsecor.exe	34
PID 2536 wrote to memory of 1480	2536	omsecor.exe	34
PID 2536 wrote to memory of 1480	2536	omsecor.exe	34
PID 1480 wrote to memory of 1960	1480	omsecor.exe	35
PID 1480 wrote to memory of 1960	1480	omsecor.exe	35
PID 1480 wrote to memory of 1960	1480	omsecor.exe	35
PID 1480 wrote to memory of 1960	1480	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe
"C:\Users\Admin\AppData\Local\Temp\7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
8ca3ff1f4406904060453bc4b005212c

SHA1
d5a441b85ece1414968bee90d7f12a8403f62393

SHA256
819a452368dae2cb1f506f33a34fa2d3bf6942b1146258f72ebd641a69bb7b4f

SHA512
06c0acf40b431811033b18cbfb8fcc00fc02315184999589d3ce015e4fdbfdc2841fbc203d432f833e865f5768dc77e9e6461d09fb44d6fdce6b5372c71fc4dd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
e9fb928dc6e1312e12f49657fec5b101

SHA1
f6dde764e160b15e546773cf7ea71f512b6a7bd9

SHA256
93d7f3f1b84b5ba05b1b49207ba164022085779696c3a2b8eabd446a844b9083

SHA512
67dfccd8718473b231c120b823bc9eb0691eab2f4ed2eec7e4b1bf89e9904bd9e2b44eed52e214f6faeb76788557461d6217794ad4fd46e8befc2054bf74f144

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
b169ee06945488e57aadb14ddb19354c

SHA1
599246d4f10b8d6c4d93e4a7a93675f213f411a0

SHA256
71d4935195de4fc66699a42ac766c97272923e215ff2d2887c6b7682c8ce71ac

SHA512
ce70e032c998e26a11903e85328a07b402b87a4dba557fce5dc44039f8a96f92da0d51370ea1540509142669481eae3db4bf8df6bcf4c44c400273c377d51fc0

Download Submit

Analysis

Sharing