neconyd | 7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44

General

Target

7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
Size

76KB
MD5

ec8cb84b2c65d0f127c29133297ec8c7
SHA1

8fe58ed34a15f30bfa351d1ea6bf01c7cb929496
SHA256

7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44
SHA512

796e0ebdd0a7488f5bff830a8bf7347feb2497d3d7f1593b65fd6f98343ea3b5c461bccf3dc039e7f9c0a60d28b9aeef2184a85c5852b37892b091821789bba5
SSDEEP

768:xMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:xbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2612	omsecor.exe
2652	omsecor.exe
2992	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2376	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
2376	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
2612	omsecor.exe
2612	omsecor.exe
2652	omsecor.exe
2652	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2612	2376	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe	29
PID 2376 wrote to memory of 2612	2376	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe	29
PID 2376 wrote to memory of 2612	2376	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe	29
PID 2376 wrote to memory of 2612	2376	7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe	29
PID 2612 wrote to memory of 2652	2612	omsecor.exe	31
PID 2612 wrote to memory of 2652	2612	omsecor.exe	31
PID 2612 wrote to memory of 2652	2612	omsecor.exe	31
PID 2612 wrote to memory of 2652	2612	omsecor.exe	31
PID 2652 wrote to memory of 2992	2652	omsecor.exe	32
PID 2652 wrote to memory of 2992	2652	omsecor.exe	32
PID 2652 wrote to memory of 2992	2652	omsecor.exe	32
PID 2652 wrote to memory of 2992	2652	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
"C:\Users\Admin\AppData\Local\Temp\7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
55619170e69d92853a6121a63b0783f2

SHA1
92e2dd41a5f985e1def9f5b42df4a403d0fbddf1

SHA256
f81136835ed8be933f843ef5a22f7d9f3d3c9c890da4f26e4e731d04abae3872

SHA512
877c9ab7806aa1ff68c8bc56a1c327ffde11702821077b75129c9e6dc5eea873fa0340de577f35f6f809c040b5714b8eb69bf5e06b60430a5d6d7627de363357

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
815e5a6ef7b7db49fd6e45ac2f1aaabb

SHA1
9a40fbff8f1a5a89d8472ea889822591ad161ac0

SHA256
90990139b95432ed1645f4dc3dd392c5b3debf84ddb8ae1af1d15a7c04b198c6

SHA512
8e099d50a3630130e88f61ee91509d90d8a577741964269cc8260369c6fe50b3d2d3ce16ac719600e1771409fc524abff9e8f1aeb23ff64b7ab6aabba5c34344

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
880c35d0225402849a9be8eca0c2446d

SHA1
95abcd36bddc4ccaed6aab0e09c0672afd13e9b2

SHA256
d0928ea57b22fa736763c313429c25b6d7ad9d7ec997c4043172c7f6395b497b

SHA512
cb33020d8b1959ea9c25f949a82a228580817d527909fab9e5c13eeb3a3463f4c8522239ee86a403ea0551c82fde9b39515db6498cf04f5a6ca20414f12d4f1c

Download Submit

Analysis

Sharing