neconyd | 8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf

General

Target

8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe
Size

61KB
MD5

d95ce442176fb8bb198dd1be4850d7c8
SHA1

b739fdff2b4a1c04c8dddef6d6ae010f74ec57be
SHA256

8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf
SHA512

6815e5f6d516fab8749483b19551ba628bada52add3c46da8ce79423e3398ad5bdc3a4731aa50237d3ceaefee7b1d1162fff06d1c4b2138b7ac145f2e0e6ffa1
SSDEEP

1536:Gd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:+dseIOMEZEyFjEOFqTiQmFl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2460	omsecor.exe
2696	omsecor.exe
3032	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2100	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe
2100	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe
2460	omsecor.exe
2460	omsecor.exe
2696	omsecor.exe
2696	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2460	2100	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe	30
PID 2100 wrote to memory of 2460	2100	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe	30
PID 2100 wrote to memory of 2460	2100	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe	30
PID 2100 wrote to memory of 2460	2100	8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe	30
PID 2460 wrote to memory of 2696	2460	omsecor.exe	33
PID 2460 wrote to memory of 2696	2460	omsecor.exe	33
PID 2460 wrote to memory of 2696	2460	omsecor.exe	33
PID 2460 wrote to memory of 2696	2460	omsecor.exe	33
PID 2696 wrote to memory of 3032	2696	omsecor.exe	34
PID 2696 wrote to memory of 3032	2696	omsecor.exe	34
PID 2696 wrote to memory of 3032	2696	omsecor.exe	34
PID 2696 wrote to memory of 3032	2696	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe
"C:\Users\Admin\AppData\Local\Temp\8168c9555358ef6882fe84c29017c9bd32921f80bcda756b90f1994291c633cf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
377307ce6f0546c8dcebde1e9145f03e

SHA1
024735238b301166c448f7a8ef1fe27295d25112

SHA256
4ae3e1d5d05e44b7522545228b9b6cf9922e83c67fec778ffc70ca8e6f3a03eb

SHA512
09b1251a30ab8fcee113614f2110525ce7ae8eaf0d1c924357e9353456a54572f4a71682bf5a77cd828af19ad35640bcab8f0c4083d10be5e4ee68addab78e74

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7f9f6bb45f4062b7fb0c3e81b0bd4dd6

SHA1
d4fec49d7a8ece7958a4bc958d28c755d8ad1e6b

SHA256
100bc7b5b65f1b1be28f4ae2e4d208335005261364f7fa59090c0f5d4b76403b

SHA512
2f204f63eab0e56ca1ef0355677d0d486c80e7dcb05989410cfb1a5647cc2123ce72dab16dd55d32b5aaf35c576b3e7e9c4a51adfffab2bc52293c5966c92b71

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
1d89959d228a383be5b4e612c83b643f

SHA1
2b202dcb65964909bcc772850ba8d01d68e29630

SHA256
97fcc1602335bf4029aa6def8007d2284b38b664e9b52f67f3a196d286bfe796

SHA512
d011e4701e378a84c7fc7fe95373bb8ae609e5e3ceed363a1f6508d4a605bec135538e10fb88ce9578ab53dac60a87c9085b04a58b243a49cf2edab52b3a0d95

Download Submit

Analysis

Sharing