neconyd | 87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d

General

Target

87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe
Size

80KB
MD5

4d09d418e20dadaf6bb4b71b9e9b70f9
SHA1

a08239d7bbfb50e2b68a16373b090b63507316cc
SHA256

87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d
SHA512

c1fd63cc5b078701d2f370400b93e8f703596f6eafb014a83861228babcaac01e83efd9369e182ad1c9520178f4195fdf6ab979fb50db6481a252684c2590beb
SSDEEP

1536:Cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:ydseIOMEZEyFjEOFqTiQmOl/5xPvwX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2344	omsecor.exe
2928	omsecor.exe
1892	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2464	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe
2464	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe
2344	omsecor.exe
2344	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2344	2464	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe	30
PID 2464 wrote to memory of 2344	2464	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe	30
PID 2464 wrote to memory of 2344	2464	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe	30
PID 2464 wrote to memory of 2344	2464	87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe	30
PID 2344 wrote to memory of 2928	2344	omsecor.exe	33
PID 2344 wrote to memory of 2928	2344	omsecor.exe	33
PID 2344 wrote to memory of 2928	2344	omsecor.exe	33
PID 2344 wrote to memory of 2928	2344	omsecor.exe	33
PID 2928 wrote to memory of 1892	2928	omsecor.exe	34
PID 2928 wrote to memory of 1892	2928	omsecor.exe	34
PID 2928 wrote to memory of 1892	2928	omsecor.exe	34
PID 2928 wrote to memory of 1892	2928	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe
"C:\Users\Admin\AppData\Local\Temp\87616dadd636635db90aeb8c405737bda8abd2ba8da8899d3aa754ca99d9cb4d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
0ea34d4819b42d694611460df0c0e67b

SHA1
aaf82d70bcc559114d68fdab7f5879d5a4ac65ac

SHA256
b62401eea7bb4bd7c3716fdfc2550169900bbf27daaa3a76f506e106e79eca61

SHA512
82ee237b564d9dad7232a0c909798e11bd58586918919d9bfdd1533f8880855e8cb2fe3b296a45e2c575e2db2942b73191eca7bb312849998cc956e24f41e0ff

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
e6c40e0f6a59185c79e3982dd2499041

SHA1
175c6fe0c4ccb5174d84c5cee633fbbe57019f0b

SHA256
b8ffd946f0e1c896d539f97c4c43a8132e40f0e1b8227384318e2602704f75d9

SHA512
1f7208760ff0aa74205a624a3c674da6f9993a6a0a4800f6cd11886096b85a744c0c0dfed3ef04fb3acb61026f35f82f60f5886521d2ae1cde86183338ef9641

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
ef480246d18750e580fc9f89567319d2

SHA1
10eb6fbe9b5e7c634ab63cf521d8a5ff579eb083

SHA256
7bf8fae27b9192dcd4886a347b8c9b5d269654817e0ffa1c1d6f8d5f50134b85

SHA512
689c3fd0310ce269c351b2eee5fa64723679ddfa9347d0be3ab22233c39a9b71e922472ca45b115f71131630778776390d74a528196b8182b545d6ac6efb14cc

Download Submit

Analysis

Sharing