neconyd | 6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c

General

Target

6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
Size

84KB
MD5

ac9c173d944ca0a08bbfc1ac25f27317
SHA1

39b40b502c1dec272adc50b8b54f7b9c31d0c598
SHA256

6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c
SHA512

50c76bf6ba398b4604396710028f575ca95b7924e84013f884f7aa8adb5b1759ff451fa0a92bd5eec4137f1747f83c73f78f8a019ab1c409a0f07dca6cbc4fa1
SSDEEP

768:PMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:PbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2244	omsecor.exe
2760	omsecor.exe
2940	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2668	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
2668	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
2244	omsecor.exe
2244	omsecor.exe
2760	omsecor.exe
2760	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2244	2668	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe	30
PID 2668 wrote to memory of 2244	2668	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe	30
PID 2668 wrote to memory of 2244	2668	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe	30
PID 2668 wrote to memory of 2244	2668	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe	30
PID 2244 wrote to memory of 2760	2244	omsecor.exe	33
PID 2244 wrote to memory of 2760	2244	omsecor.exe	33
PID 2244 wrote to memory of 2760	2244	omsecor.exe	33
PID 2244 wrote to memory of 2760	2244	omsecor.exe	33
PID 2760 wrote to memory of 2940	2760	omsecor.exe	34
PID 2760 wrote to memory of 2940	2760	omsecor.exe	34
PID 2760 wrote to memory of 2940	2760	omsecor.exe	34
PID 2760 wrote to memory of 2940	2760	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
"C:\Users\Admin\AppData\Local\Temp\6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
17be0dd8a09676cc323f82f308c7d6ee

SHA1
aad60e6e45a548267f6798d741026802a3b60ee5

SHA256
724222661c910da5aa78e68e9140eb48f45f36374f1ff263fc992197822b1dd7

SHA512
f9faba5586861176b7e7332051f05476f75bc818cfa9c6556f6d09b851e03dc662d0633b4dca046f7566ae8e7d37183f3e2145dbdf5196cbb286fd104870cf16

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
e2080a752c1ca19d17650b51d33214ea

SHA1
2e6e33157b4e1d852752ae60e2b4ca62d0283f4d

SHA256
ab5b91bf25c052f3a8f0c211edc8e6f86395d9bee4bae0b4810a59e7a2662157

SHA512
e20666ea52620a87681c937796fe67718934ab90852268ebd85f5a6846f0c844914a797ed99883761f338b4a7643afbe394f5a84e66032cd12358d8e725c5f93

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
baedacc7e4cd6ac35b3a425c706c85b3

SHA1
db135196991fca4063bc835f4dcb51dd89aab5a6

SHA256
94cce725ce6c37973a60cbadccab7303bb6102094327a257d41a5acfd17c9fbb

SHA512
6ebd9cac9da8e5ed85e1a48268a6469d748e6eaccce08704121b456339709ab7690b2e22621d03fe37e4e64fc97064ca3a118fda76890bf82ed1be664518ba2a

Download Submit

Analysis

Sharing