neconyd | ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6

General

Target

ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe
Size

80KB
MD5

b465b4f55a678a8be063f1448983dc85
SHA1

4ce3865726505163edbcf5e5a952be0e33d54c03
SHA256

ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6
SHA512

0c3eedad30161a3b4015342be0d405ff24ce3feb2d71afc3a1011a874d455049db2ba027ea4b6b7f30e8008e3bdcde78ae1a1ab5d904fa2a307aff544bafd8d0
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzJ:+dseIOMEZEyFjEOFqTiQmOl/5xPvwV

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2324	omsecor.exe
1800	omsecor.exe
1060	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1904	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe
1904	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe
2324	omsecor.exe
2324	omsecor.exe
1800	omsecor.exe
1800	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2324	1904	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe	31
PID 1904 wrote to memory of 2324	1904	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe	31
PID 1904 wrote to memory of 2324	1904	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe	31
PID 1904 wrote to memory of 2324	1904	ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe	31
PID 2324 wrote to memory of 1800	2324	omsecor.exe	33
PID 2324 wrote to memory of 1800	2324	omsecor.exe	33
PID 2324 wrote to memory of 1800	2324	omsecor.exe	33
PID 2324 wrote to memory of 1800	2324	omsecor.exe	33
PID 1800 wrote to memory of 1060	1800	omsecor.exe	34
PID 1800 wrote to memory of 1060	1800	omsecor.exe	34
PID 1800 wrote to memory of 1060	1800	omsecor.exe	34
PID 1800 wrote to memory of 1060	1800	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe
"C:\Users\Admin\AppData\Local\Temp\ef66e7667b1b2337e1b95b71989666eab22f8712c98166400f99248f8cbdf4b6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
144f1be9332775a9d2c05a31cda5d398

SHA1
978cd1dd9301e895bee1521cb86bfde3abcf01fb

SHA256
63ee53b271a7764a61a37edc3c75cef8402a78ce956073bb0974858754f7a0db

SHA512
c22a20476dbef69b0faebce950ca845f3964700a075f00b3aff4603623a29c7e273e3303f4d42683b36b5f4c9867048aef57c8b18dbb74fb538368dd512db48a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
c5d049917527c0cd691f31b4e9ae0bf5

SHA1
804f40a39aeef3ac5ab2a7f839795a4e1ba70c00

SHA256
c23b0356264988d673662b4e4cccc424e274b3a16a4a767dae333f192820dfb4

SHA512
977c16d6e1c6e237d36c5d2d146430cbd6860efb0dcd1c38b482a5d1fb3b40452f70d7f39d25914152eef685d8d8fc0dee7d29a66a3c97e6609aa54f857d5e53

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
f0ac0f4ac58c0dfa9884f1cda8e63080

SHA1
e8afec252292bbc6f7dc5089f1a58f61682e14bb

SHA256
c36a9288a040e420d7411ac0983fff86d4b8e9ee4861c833a21f3bcf94be0c67

SHA512
833f0a93da5638901927d70c29aa8a8db7f457ec7e7825bed6e2fc4afd7d3cacb8413f4c3b951507048da38f0a8a719192208da6ab8b7ecb3979817b949b52ca

Download Submit

Analysis

Sharing