neconyd | 07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54

General

Target

07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe
Size

65KB
MD5

411cf69a0de4b66bf6aa9c605f7d8cf4
SHA1

e79c594d7ac424a9f5a6907ecf1ebe9b9fdff824
SHA256

07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54
SHA512

246d990120c444d47652144bc4bc14dac27b68c3a0bb1c4d6bf61ca6ebbb5ed00f02d7e628c950c2aa384525267af4845c11b27b88c3356aa08f5b4f63da60dd
SSDEEP

1536:7d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:LdseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2624	omsecor.exe
692	omsecor.exe
1376	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1240	07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe
1240	07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe
2624	omsecor.exe
2624	omsecor.exe
692	omsecor.exe
692	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 2624	1240	07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe	30
PID 1240 wrote to memory of 2624	1240	07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe	30
PID 1240 wrote to memory of 2624	1240	07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe	30
PID 1240 wrote to memory of 2624	1240	07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe	30
PID 2624 wrote to memory of 692	2624	omsecor.exe	33
PID 2624 wrote to memory of 692	2624	omsecor.exe	33
PID 2624 wrote to memory of 692	2624	omsecor.exe	33
PID 2624 wrote to memory of 692	2624	omsecor.exe	33
PID 692 wrote to memory of 1376	692	omsecor.exe	34
PID 692 wrote to memory of 1376	692	omsecor.exe	34
PID 692 wrote to memory of 1376	692	omsecor.exe	34
PID 692 wrote to memory of 1376	692	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe
"C:\Users\Admin\AppData\Local\Temp\07ee6d797fcb3ea339d26ea2a429ccd810a26c627d564b3d6e6743dea230ea54.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
1e5d80b3ca2bf4c97053dfad9cc78f8b

SHA1
f1086e24835efa3bc575078bc55bd9e3ecc597f9

SHA256
b2731a81def7987ff87ff079eb2c60760847a8302ddcfed659cc265561620c55

SHA512
cc11dfb40d83d61e7cb129d8c3f37b01302f3235643c34dbe7e3f690d975e11373925cc6531d936adbb9e7aa8f0c88c1c0272e8de5654175b8a5d10011f93270

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
0793bdda5123c04271af2c50aa71ce66

SHA1
7a2d9296ed4da6448816cd9904c932216e63deb6

SHA256
1207f8a9fab6cbe70fa08601a663b0b5ea293459a2e0e9e01f38c0d9ee6e95cb

SHA512
9746afda014f5747561d08623d4807b540550321a38fffa173fa22458ca9028d81cd2f9e85a73743f896465c9a909904be68d6c147a374ca5026fd393d737162

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
0e0b09a3cfa783c3655f4df31113a4dd

SHA1
798502320bad7c415c23db3932e9ce62f581bad2

SHA256
095df56432e93c3c0b4c7e0aaf9904d6d592edd115d13af8888acbba360236ea

SHA512
1cd625a123322f6e9591aec6f00e7cabdcab2a14a37d2b76c80c8185c2127761eb96c8ca10c12f8991bdd52d3389cd5d349f6b3040499f23c36e0102569c81db

Download Submit
memory/692-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/692-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1240-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1240-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1376-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2624-15-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/2624-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2624-21-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/2624-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2624-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing