neconyd | 7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9

General

Target

7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe
Size

88KB
MD5

b80b91e774206ac0a892f1a142188ed1
SHA1

b2116de24cde14d95765d44fc06474f2211b9cee
SHA256

7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9
SHA512

f5907b69eaa2315357a98d3c25764611ec2729677bc6df06ec3a6912965c7a333521845033d493a0756f4eab96cc571dfbc0992a333b9fa30ca14b2dff616d13
SSDEEP

1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5D:9dseIOMEZEyFjEOFqTiQm5l/5D

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1544	omsecor.exe
676	omsecor.exe
2964	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2012	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe
2012	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe
1544	omsecor.exe
1544	omsecor.exe
676	omsecor.exe
676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1544	2012	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe	30
PID 2012 wrote to memory of 1544	2012	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe	30
PID 2012 wrote to memory of 1544	2012	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe	30
PID 2012 wrote to memory of 1544	2012	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe	30
PID 1544 wrote to memory of 676	1544	omsecor.exe	33
PID 1544 wrote to memory of 676	1544	omsecor.exe	33
PID 1544 wrote to memory of 676	1544	omsecor.exe	33
PID 1544 wrote to memory of 676	1544	omsecor.exe	33
PID 676 wrote to memory of 2964	676	omsecor.exe	34
PID 676 wrote to memory of 2964	676	omsecor.exe	34
PID 676 wrote to memory of 2964	676	omsecor.exe	34
PID 676 wrote to memory of 2964	676	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe
"C:\Users\Admin\AppData\Local\Temp\7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
5628bd8d3d5e902c5cbff02350b423bf

SHA1
a664d9a63cdda37eef937d7ebc0e9d7ddc07522d

SHA256
c223ba3cf90e0df0a6dcb73cd439276e945c9af67c79c44eb2ac39fb92f0197b

SHA512
adebcb17c21511f71f51b5d2e89af3d3f53b8d836785ac94222eecf6d78afc34ff7845c43fe598cf578825b6391d1b7cd21af4ef580b4841439c65b358990eea

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
820823fe7fb215d9f419732ee3eef623

SHA1
3fa2a535c5efb5f0507ba76215282ad058e91dea

SHA256
7cf2236cf8fab8b132340f6f229a6bcd82a0e21f3bcf8498c4e12859d5f50314

SHA512
853a441fb15a8c30f278077716e03efea7c946130dcdcde7af50481069e6e96a1db213d556268e9b368478dd2b8b1d3a72cf84559ca097c3a2f115c8550e9da6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
de17617eddccf09233bd5faf2389a90d

SHA1
622db8ce9d47f8c080e1e2ec932cbfb8c4a0ccec

SHA256
f9b0de03ff71c3e47b4126d5dedab15e9c6b321fcf1885db50fbc108c0623b56

SHA512
9ab4a19567907e52274279cdd47dc012034fe35833c057c6e44b3222ab6c53df6c5365d49121825cab6ede935e96ad74927d40609dfdc5a70d55ab78cfe71686

Download Submit

Analysis

Sharing