neconyd | 7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1

General

Target

7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
Size

76KB
MD5

58283dc9e1a09139b0de697a8ff26b88
SHA1

bed5a32685e344306c973b80f675570b3ddd784f
SHA256

7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1
SHA512

4cc6ee9d4d4a357229ebd2cafccaa38c1bb5c1e299b391471893dd1b8f2a7054392cbbb6636208a0063c06f63ddad5ccb876abfe128d0baf058baee6909de355
SSDEEP

1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:JdseIOMEZEyFjEOFqaiQm5l/5w11H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2184	omsecor.exe
2636	omsecor.exe
2556	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2228	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
2228	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
2184	omsecor.exe
2184	omsecor.exe
2636	omsecor.exe
2636	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2184	2228	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe	31
PID 2228 wrote to memory of 2184	2228	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe	31
PID 2228 wrote to memory of 2184	2228	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe	31
PID 2228 wrote to memory of 2184	2228	7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe	31
PID 2184 wrote to memory of 2636	2184	omsecor.exe	33
PID 2184 wrote to memory of 2636	2184	omsecor.exe	33
PID 2184 wrote to memory of 2636	2184	omsecor.exe	33
PID 2184 wrote to memory of 2636	2184	omsecor.exe	33
PID 2636 wrote to memory of 2556	2636	omsecor.exe	34
PID 2636 wrote to memory of 2556	2636	omsecor.exe	34
PID 2636 wrote to memory of 2556	2636	omsecor.exe	34
PID 2636 wrote to memory of 2556	2636	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
"C:\Users\Admin\AppData\Local\Temp\7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
eadda070ba850be2852053179dd29806

SHA1
42567c79508203895f211d05e950064737f07416

SHA256
0d56384533bee6ac5e0c299965ed608d339b1becc67f14fd0a0236dadc7f2c57

SHA512
a3766bc26f4d9ee40daf9e7f2d8646fc5276ac5651e820690c4cfb93e0c88f416eb6e37f182bbdac579081036f1a74f8c32e334dd788818406c10ccd032e3850

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
05951ac570be2178293a69462481e554

SHA1
890bb94ca40e58cdf36a232b64c2a86a6e998956

SHA256
52f54c7f0987fd0b957bdcdfda20a255cf0d7eeb1001cb7d07e4342de5235308

SHA512
aa9052726a914b148f2973d04eca92ea30958105c9aa0c5f9510bebad19a6dac0a71a31e95449aa1cc00a2ee464ac967b150747322e983110563a05ed33589ee

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
0b6ebc5641298fb784648ce78e2c76de

SHA1
b9835d7714657106ff4d07d03f9c807f8f622a95

SHA256
374c6f8857857a5446fbbaa163e8cc801494fcf537acb111d5675e028ca6fa6d

SHA512
d414b0ceac0a6f152bbe70a4e280453bd9b955890be6c5aba36ed0a1370ff4e5b8b9d10ca80c4b3adc882556ad956ca107ab50e51ac111fe67d601975df8eaa6

Download Submit
memory/2184-22-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/2184-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-23-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/2228-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2228-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2556-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2556-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2636-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2636-31-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing