neconyd | 9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74

General

Target

9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe
Size

89KB
MD5

5a33e3253691cc6f38e096c9d378bca7
SHA1

ca893cc11e1ac841f5a9e30e586dbb27e62ca08b
SHA256

9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74
SHA512

555efd1af8e049111b8f0748f7faa0664fcb73c2f24914869b3598a0194ca73994ab7b110679a90ebbbd299c66da3d65cf2e296c415ae9a711f83315eca8b748
SSDEEP

768:pMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAV:pbIvYvZEyFKF6N4yS+AQmZTl/59

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2124	omsecor.exe
1756	omsecor.exe
1888	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1820	9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe
1820	9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe
2124	omsecor.exe
2124	omsecor.exe
1756	omsecor.exe
1756	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2124	1820	9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe	30
PID 1820 wrote to memory of 2124	1820	9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe	30
PID 1820 wrote to memory of 2124	1820	9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe	30
PID 1820 wrote to memory of 2124	1820	9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe	30
PID 2124 wrote to memory of 1756	2124	omsecor.exe	32
PID 2124 wrote to memory of 1756	2124	omsecor.exe	32
PID 2124 wrote to memory of 1756	2124	omsecor.exe	32
PID 2124 wrote to memory of 1756	2124	omsecor.exe	32
PID 1756 wrote to memory of 1888	1756	omsecor.exe	33
PID 1756 wrote to memory of 1888	1756	omsecor.exe	33
PID 1756 wrote to memory of 1888	1756	omsecor.exe	33
PID 1756 wrote to memory of 1888	1756	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe
"C:\Users\Admin\AppData\Local\Temp\9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
953b5dcbee95440d38892ee7f4c84e50

SHA1
bad61f40f24102dc184116dbe839547816ba020f

SHA256
f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22

SHA512
5e9ffe005d1e3e383d9a6fc1b9892d734bd7a6ecc38b983a2136aed43aab1a0f754e277b1b66876056925fdd6b584b545ccddb5a0fe9bc1ac7b2b1a89becd0c4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
81a61cd65172f6fedb451b30306f3a49

SHA1
e2d42ed1dcacedd32f5d76096bc6b84b3db32139

SHA256
bc38bd0ce83aacc39318b8893cd2fc2c1fce963ea7e00b14157610975042992d

SHA512
45507fcffbb9cd8f3af8aa3c24bbeaef53391e9981844e8128ee9ba42f964ecbf74ac8ecd4acc070228e1c8408b0461c4406450f83909cf163d51a06fb630f17

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
0b8d1e5202e322867b264b371142cae3

SHA1
3f527350254f237f5db95b54954fe0437f9228a4

SHA256
ff75de672ecd7cda02fb6c3a9a700ce63c00a2b45a04920a972ea2657874c3ba

SHA512
d7487e680fb509c513daa12489887cd4a9f3764ddec4b3108785740b5fc23f8287a22052394177e0194b29809162ed6d596bf37283fd405c70aa867e4922aeed

Download Submit

Analysis

Sharing