neconyd | 6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9

General

Target

6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe
Size

88KB
MD5

9496eb5e9351c7b820bb6febabbd8880
SHA1

16adc27f75454571306922704fd696d3da7fc14d
SHA256

6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9
SHA512

6344b4f06a1c6c8418bbbff05cc73d5b3ede856da3c85bf74c4c3b2be094aa54225f36565ca9ebc2fd029145f1943bc44615aee4b6f635803170bd6a3382f65b
SSDEEP

1536:Rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5z:hdseIOMEZEyFjEOFqTiQm5l/5z

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2808	omsecor.exe
1332	omsecor.exe
1736	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2788	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe
2788	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe
2808	omsecor.exe
2808	omsecor.exe
1332	omsecor.exe
1332	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2808	2788	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe	31
PID 2788 wrote to memory of 2808	2788	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe	31
PID 2788 wrote to memory of 2808	2788	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe	31
PID 2788 wrote to memory of 2808	2788	6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe	31
PID 2808 wrote to memory of 1332	2808	omsecor.exe	33
PID 2808 wrote to memory of 1332	2808	omsecor.exe	33
PID 2808 wrote to memory of 1332	2808	omsecor.exe	33
PID 2808 wrote to memory of 1332	2808	omsecor.exe	33
PID 1332 wrote to memory of 1736	1332	omsecor.exe	34
PID 1332 wrote to memory of 1736	1332	omsecor.exe	34
PID 1332 wrote to memory of 1736	1332	omsecor.exe	34
PID 1332 wrote to memory of 1736	1332	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe
"C:\Users\Admin\AppData\Local\Temp\6987e71b951c05d806f84873faee310dc823795bc8e13c095a8894b0d7ed32d9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
5ee980ff68027f27b11fd947485b4d6f

SHA1
99b5b048f32feef5cdfef4b5e0b6024e09325dbc

SHA256
b6c8df40c2fb4fb2672faa330bd8f2d50c159c30745fc243ec738487d11297ef

SHA512
f9be76daf46b201bf9e92d47c795152721ff68345328b8331c8c688e7dd966e24cbe8096fb67ded2639c87054fce687eba502529e8694bc86b5008949f022869

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
588757e498613a3df38415b697fb3b6f

SHA1
0c5d7e73f85bee128c776807c4b0064e39542874

SHA256
a4c5b59d1d39d847581d1c7e02384b68543648888c93e257ea6e9274f278a6b4

SHA512
89b88a5a501495f2193c151a54b620694e483eaee6179b60fc191cce26b5dd7e0db003dc4001176326c49b32043d5ac31ac751d111ded796655ae809bd959cb9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
cd8dfd995acffc465856122413db6437

SHA1
2e6ec6368fd9007fe3500b9a2e7d901275fe8599

SHA256
4191725f516bab90d8b8d2dad593ca66024e156604d15968930e0d87d0f1a1c9

SHA512
21ac27ed4d04057fc6c3be506c707ba2749b706878b6f78a699bdbcf3b19e138f18eee2e78643505014c63e918c17e918ec0e3a42dd81dd6e9ef037de01db70a

Download Submit

Analysis

Sharing