neconyd | 7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346

General

Target

7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe
Size

84KB
MD5

af6fc273d243e5ecdfbde224f897eb99
SHA1

851d74962a9ffd6d003a84beda7938d22eb6c4a0
SHA256

7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346
SHA512

2b02d9c761fc9ac8778dda06d8f4b99a7422889217c14f462cc7fc92f0dbf1c8783b060ecea85da1700c50a61e1971fbd00518f4d5faf57efb6b6f6a4dd21b87
SSDEEP

768:yMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:ybIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2744	omsecor.exe
1272	omsecor.exe
2876	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2164	7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe
2164	7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe
2744	omsecor.exe
2744	omsecor.exe
1272	omsecor.exe
1272	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2744	2164	7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe	30
PID 2164 wrote to memory of 2744	2164	7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe	30
PID 2164 wrote to memory of 2744	2164	7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe	30
PID 2164 wrote to memory of 2744	2164	7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe	30
PID 2744 wrote to memory of 1272	2744	omsecor.exe	32
PID 2744 wrote to memory of 1272	2744	omsecor.exe	32
PID 2744 wrote to memory of 1272	2744	omsecor.exe	32
PID 2744 wrote to memory of 1272	2744	omsecor.exe	32
PID 1272 wrote to memory of 2876	1272	omsecor.exe	33
PID 1272 wrote to memory of 2876	1272	omsecor.exe	33
PID 1272 wrote to memory of 2876	1272	omsecor.exe	33
PID 1272 wrote to memory of 2876	1272	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe
"C:\Users\Admin\AppData\Local\Temp\7fffa69118d4cf3f2edcd938eb23b0956268064df727c694626a1976e264a346.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
a9f08bcdcc73543ab6cecdccf737aa49

SHA1
87e39182ffc1738e4642cb505a3e51afd9660793

SHA256
b7c931051db06960743ce36207583d97d1bc36940c02cd98e59df7717c9fc8db

SHA512
1008818d069c37d182f7d636339a6e49fe8f8a1fb473a0c547c91b9126cc4537d2adfaaa5f79f4b81af57a1fd08bc9170a0b30a0bea4eec8195ef7a484dfeb27

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
2c3daa67b51c7a77fb529914f96d4c86

SHA1
243c96e27ec730f15780c3e80dd5c0fbeb81f85a

SHA256
576845565bed217f25028bc87bae9710b23a23bf15b6845987faa8bfd10d092e

SHA512
5ab4c6278cfb4fca005fd4d2aeb8f6e4e7fdfd44c9b918cf292eceedafa70310fed9ef369bab455affb29c7c5d28e6b35bcb675d75d467cfdd13f4401f418a7e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
673ba1d2c3f73548fd60046a5dd22cce

SHA1
be9aee86b01f0bc3238bfd8757c0ef5e56bc1c74

SHA256
86472ed3132fdf8299dc93e95afa7e6aec221b79b59c9a6b6fdeea301133686f

SHA512
206f23f8a5b74d2cd11fa53b64efe78c13733723825df6de7b01e92f8ae8b6d0c148630ed3239fec80f57c91d66c286ae778524f9f0a6aa8917e329a0dd55517

Download Submit

Analysis

Sharing