neconyd | 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944

General

Target

662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
Size

76KB
MD5

4da380879d70fbcf230ed358131d352a
SHA1

02a0535a9e16715dcb4b7ce607fc1de765e3a7ba
SHA256

662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944
SHA512

56d9188446c96e1da11bf9aa7252796030c4b03c4be9b163ffda30de25587444f6f77658de7054045f356e56cfa6eb68530321f9d15748893d96d9326309c89c
SSDEEP

768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:VbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2784	omsecor.exe
1148	omsecor.exe
1044	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2716	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
2716	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
2784	omsecor.exe
2784	omsecor.exe
1148	omsecor.exe
1148	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2784	2716	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe	30
PID 2716 wrote to memory of 2784	2716	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe	30
PID 2716 wrote to memory of 2784	2716	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe	30
PID 2716 wrote to memory of 2784	2716	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe	30
PID 2784 wrote to memory of 1148	2784	omsecor.exe	33
PID 2784 wrote to memory of 1148	2784	omsecor.exe	33
PID 2784 wrote to memory of 1148	2784	omsecor.exe	33
PID 2784 wrote to memory of 1148	2784	omsecor.exe	33
PID 1148 wrote to memory of 1044	1148	omsecor.exe	34
PID 1148 wrote to memory of 1044	1148	omsecor.exe	34
PID 1148 wrote to memory of 1044	1148	omsecor.exe	34
PID 1148 wrote to memory of 1044	1148	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
"C:\Users\Admin\AppData\Local\Temp\662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
d47b327fea566cbee5e9cc21398a8f1b

SHA1
6730610cdc25b214f6772b6c5a93848406b19e37

SHA256
cc4c5ff639447989c67ed504f40d652712ec290446439404037718dba23ad4f2

SHA512
7c48e0511f1ed0f7af9e9fe50ba80e4388eadc4b3e1e50fabd1f2ed2120d4c1514bd7fa32c1dd4e646828696dcd2eba239d122697786cee82c96ceafe4dfa359

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
1399e86def1b539655f8c31bf1bfe893

SHA1
0351d57d9c754154a295095932e35909817eb26e

SHA256
89117b1691c4dfb96c338293f0c18eb5e4b830ff7c73e2297416e1d27dd8cca9

SHA512
85c1b9fe5206435b94042963d35312e5ebfc7cf01ba6b0bea5e3c88fc4d74038805f84848abf806c2595d0d0e0e262c690dde0077d0c957d2e8b16f78c517b69

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
b604db7ec1a0f6aa1e4cbbddc9f626d7

SHA1
f80ea3ba1ddd1d985f99eba7e0d8ae46af60ea58

SHA256
5c94471e8954a435a68131e1f39911523f8cad87e65c00395d44e935bdead0d6

SHA512
a42a9d495eee7fdc40d594178cbc85cb6b368999fa1f55048ffe6d3274485aabf4587d8be7f121a676011a3004b07d4ee7c5c5f753f9269be309927e38af41b6

Download Submit

Analysis

Sharing