neconyd | 54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9

General

Target

54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe
Size

61KB
MD5

542eabe402e27707273b8f793764a2f0
SHA1

b371e4b14851339d9d392ecc9378fac85f38edf0
SHA256

54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9
SHA512

473a569a43c9b09a16e6df2765bad6b3679782ff7e4f6f365130074c73f26f933113395aacefb7622619613623707d2fad72adc2d085fe30a102333cfe2bc56d
SSDEEP

1536:5d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZnql/5:ZdseIOMEZEyFjEOFqTiQmFql/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2324	omsecor.exe
1960	omsecor.exe
2664	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2200	54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe
2200	54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe
2324	omsecor.exe
2324	omsecor.exe
1960	omsecor.exe
1960	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2324	2200	54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe	30
PID 2200 wrote to memory of 2324	2200	54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe	30
PID 2200 wrote to memory of 2324	2200	54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe	30
PID 2200 wrote to memory of 2324	2200	54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe	30
PID 2324 wrote to memory of 1960	2324	omsecor.exe	33
PID 2324 wrote to memory of 1960	2324	omsecor.exe	33
PID 2324 wrote to memory of 1960	2324	omsecor.exe	33
PID 2324 wrote to memory of 1960	2324	omsecor.exe	33
PID 1960 wrote to memory of 2664	1960	omsecor.exe	34
PID 1960 wrote to memory of 2664	1960	omsecor.exe	34
PID 1960 wrote to memory of 2664	1960	omsecor.exe	34
PID 1960 wrote to memory of 2664	1960	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe
"C:\Users\Admin\AppData\Local\Temp\54c6fd08ee54b9af62d89c572818604ba420de37a8ee9892d5c3d3ca12efe4e9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
91df5b2aeb8a792abaedcc023a9e4aa6

SHA1
8e21dae3b69bcb388f55b66f924af7579ed6afcb

SHA256
654b39a0391b5758bd7c0fb0b514f0ed036567f7aebb07ccc95e09716416f18d

SHA512
55abf812aecb4c0a3ef993cd98d51baec0f4229c76672a946de5e84106533f40f3fb0bf813e71cb6f623f38f4a4f9e1e5d64853d2b4dbd30fbec6f3b6ff47d26

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
05e371ae1ec56b600375efefd72ed28a

SHA1
eb01f9d761d835053407c7f5bf72f6e514b748e3

SHA256
84819214ca873de3d6f3b6270311549cdbbee534056f35696939c32824954a6d

SHA512
4a4e4f0077b3cfa8b8fb98808af12bfe83aa4755c7c96e1d83f6d6f5863465197058ae9f8c9a69b8a71badc299010a05f1dbef44c0282c9935b8caa0e7a2e2f8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
6d6f6e3bb9dbb55020abfee6e17a0b9e

SHA1
e6d4a52176f115a3781a5c0667df61550618c2a7

SHA256
2b7b71dcf998a49848fbe5db0257c70a8d1eca390580c24384044544eda39587

SHA512
746226fed8bfa2aa120f204b63583556be0a40819a7a4fac9dc765faec226b4ea3e321cf79b4c2abe16e2de2ff77f661e87f7b20686ccaa1e1062c930fd4f75b

Download Submit

Analysis

Sharing