neconyd | 9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0

General

Target

9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe
Size

76KB
MD5

7cf0b22925596438209e6ef658887cbc
SHA1

07ee522680da1341203441a23326042118ad1ad5
SHA256

9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0
SHA512

11c0c7fd0e737a507d383c8c27490597b812c1c808a11b7fcea888f69cdb1ee8f7086cfcc3eff364683146516ece3f440acda52828187d328bf0022e6e51590e
SSDEEP

768:sMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:sbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2748	omsecor.exe
1152	omsecor.exe
2624	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2356	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe
2356	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe
2748	omsecor.exe
2748	omsecor.exe
1152	omsecor.exe
1152	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2748	2356	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe	30
PID 2356 wrote to memory of 2748	2356	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe	30
PID 2356 wrote to memory of 2748	2356	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe	30
PID 2356 wrote to memory of 2748	2356	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe	30
PID 2748 wrote to memory of 1152	2748	omsecor.exe	33
PID 2748 wrote to memory of 1152	2748	omsecor.exe	33
PID 2748 wrote to memory of 1152	2748	omsecor.exe	33
PID 2748 wrote to memory of 1152	2748	omsecor.exe	33
PID 1152 wrote to memory of 2624	1152	omsecor.exe	34
PID 1152 wrote to memory of 2624	1152	omsecor.exe	34
PID 1152 wrote to memory of 2624	1152	omsecor.exe	34
PID 1152 wrote to memory of 2624	1152	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe
"C:\Users\Admin\AppData\Local\Temp\9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
ab7debd38d28afaaeb1a76746c468c2c

SHA1
7485d897c5f24fbde52345e40b05f02664ecfbad

SHA256
73d3ac8f24c7b818222c86f6b902fda918081cdc24d366db47337e5225d3e4b8

SHA512
f53503097547fabbb78b6d941fd9136426006e87283c96083f7809269fc681a298e9c86fa71d1cae006971b5008507b1ce402ff41a8b3ae98f3478173acbda6a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
aa68fbc2ea326c7c3d497f5ae6179abd

SHA1
9cd6423ca2c0dc48e5598f567e3681c6f6a48f63

SHA256
fa69905cccb571913c5fc79329cd402b74d7f768a65b16ab827d68a8a0f66f0f

SHA512
516569d0d309c9049ccff0be6bdcca9e5a719874096e1a1b5b69676c2b9b5868a424b2b30e58ae78b6694d0ca036e75da13ae5ae949ec0d8c9ee7e7c6f635920

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
842086201302d9a07424ecc0a2276c80

SHA1
1a7b251a9fa110d7115a51e1862255ef6c2d189a

SHA256
cc8b1cdefc8ccecf34275844a0c1e17d8cd77b8ec7b683f1d368dbf00a5d6540

SHA512
fdf82753e4380a49582405fa0d35e34620379e0129eea9a0461e0a703c8c70a56bf30c168b0be0bfdf975f9fee798eb8f04c12d6abc3aecdbaf45bddce4920e7

Download Submit

Analysis

Sharing