neconyd | 6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c

General

Target

6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
Size

84KB
MD5

ac9c173d944ca0a08bbfc1ac25f27317
SHA1

39b40b502c1dec272adc50b8b54f7b9c31d0c598
SHA256

6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c
SHA512

50c76bf6ba398b4604396710028f575ca95b7924e84013f884f7aa8adb5b1759ff451fa0a92bd5eec4137f1747f83c73f78f8a019ab1c409a0f07dca6cbc4fa1
SSDEEP

768:PMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:PbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2900	omsecor.exe
780	omsecor.exe
2012	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
812	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
812	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
2900	omsecor.exe
2900	omsecor.exe
780	omsecor.exe
780	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2900	812	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe	30
PID 812 wrote to memory of 2900	812	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe	30
PID 812 wrote to memory of 2900	812	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe	30
PID 812 wrote to memory of 2900	812	6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe	30
PID 2900 wrote to memory of 780	2900	omsecor.exe	33
PID 2900 wrote to memory of 780	2900	omsecor.exe	33
PID 2900 wrote to memory of 780	2900	omsecor.exe	33
PID 2900 wrote to memory of 780	2900	omsecor.exe	33
PID 780 wrote to memory of 2012	780	omsecor.exe	34
PID 780 wrote to memory of 2012	780	omsecor.exe	34
PID 780 wrote to memory of 2012	780	omsecor.exe	34
PID 780 wrote to memory of 2012	780	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe
"C:\Users\Admin\AppData\Local\Temp\6ee0fb6728ab3f8054586aed3375af862f78ae520132a24b1058d0ef72fa325c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
17be0dd8a09676cc323f82f308c7d6ee

SHA1
aad60e6e45a548267f6798d741026802a3b60ee5

SHA256
724222661c910da5aa78e68e9140eb48f45f36374f1ff263fc992197822b1dd7

SHA512
f9faba5586861176b7e7332051f05476f75bc818cfa9c6556f6d09b851e03dc662d0633b4dca046f7566ae8e7d37183f3e2145dbdf5196cbb286fd104870cf16

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
baedacc7e4cd6ac35b3a425c706c85b3

SHA1
db135196991fca4063bc835f4dcb51dd89aab5a6

SHA256
94cce725ce6c37973a60cbadccab7303bb6102094327a257d41a5acfd17c9fbb

SHA512
6ebd9cac9da8e5ed85e1a48268a6469d748e6eaccce08704121b456339709ab7690b2e22621d03fe37e4e64fc97064ca3a118fda76890bf82ed1be664518ba2a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
82148d97750c6b9e359b0fd661292184

SHA1
71cdb840bd48cce50111b2a141c677633a91cc7b

SHA256
3c80b464422fb73dad062389d999963e8629121cb1420b8cb0dfb81a4750ca16

SHA512
c98b40b0459a5415001e5f6a5d9fa539a63ab7861037ad96ea3a94acc3c62a586a89c23bcbad54cc5413ae24252e8da8688c8e2f434fca9e71a936b0c87e2bc2

Download Submit

Analysis

Sharing