neconyd | 7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e

General

Target

7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe
Size

72KB
MD5

797b05d00fb1211f8ac5f9426077beb0
SHA1

99c850d26563e145a26f0a6598accadd31715d68
SHA256

7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e
SHA512

37bddad3fb64983ef6725cee4b08d368ff6b39be88eb01e0041d9e3348531b582fc029821e7c5dc62b3bd0af21410ca3fa445c1042102e7d237c7c47fd8ba254
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:7dseIOMEZEyFjEOFqTiQm5l/5211v

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2880	omsecor.exe
1352	omsecor.exe
1920	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1632	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe
1632	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe
2880	omsecor.exe
2880	omsecor.exe
1352	omsecor.exe
1352	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2880	1632	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe	30
PID 1632 wrote to memory of 2880	1632	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe	30
PID 1632 wrote to memory of 2880	1632	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe	30
PID 1632 wrote to memory of 2880	1632	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe	30
PID 2880 wrote to memory of 1352	2880	omsecor.exe	33
PID 2880 wrote to memory of 1352	2880	omsecor.exe	33
PID 2880 wrote to memory of 1352	2880	omsecor.exe	33
PID 2880 wrote to memory of 1352	2880	omsecor.exe	33
PID 1352 wrote to memory of 1920	1352	omsecor.exe	34
PID 1352 wrote to memory of 1920	1352	omsecor.exe	34
PID 1352 wrote to memory of 1920	1352	omsecor.exe	34
PID 1352 wrote to memory of 1920	1352	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe
"C:\Users\Admin\AppData\Local\Temp\7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
35d7183c17916c2d07e7fa200778b6f3

SHA1
84f0666defa958feada411ab5263d131a5ebc3d0

SHA256
1bbe9ef9036c8393d38e6cab3c59da89e95186cd7e70222a10b16544dd8ecced

SHA512
2c7bd0144bea09e2798244fd0350187d7c95a948c651a8a1c561ad0bb6475bce8c630c9415ad0fddffb551ea16d2518912608c71de63680744be822c5c24dcfe

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
928eabe07d1f7645e93a2c093b27bb34

SHA1
8e3d58350449766b3ca712ca0afab58b81a9e285

SHA256
6a99192e7e47fc75d1bd064d1409532cccff64793b768db09739fd420fc238eb

SHA512
11a8f660fc36079b44f88f2964618d536a43cda92b46ea626dd3794c8b3dee25b2c8353557edc8eea97c0d5a61b195d272a9bb81ec9034500b0e16910a337dd1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
ae2ef4eff9a2960504c5eb18a5447442

SHA1
9242f7e0ba5039d41a0db2c122079a4a06d12cf9

SHA256
f2ecdb8faae1645f26c75581ebae2d4a7cccdf470b1eb0fe500f4e28e39345e3

SHA512
f1caa193f2da17ebe6108fb71e23191f71fe614fe8a2e4eb79d11bcc9c37d161eb3d772be0fac4b7c4e4f50db0bc8ba4903efc9ccf73cf75a572f64ffc7b6a15

Download Submit

Analysis

Sharing