neconyd | 6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b

General

Target

6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe
Size

33KB
MD5

69f977832f61c475cc0494783f506520
SHA1

ec0855e68d06839eb9710017cc5cfd70d7ee2977
SHA256

6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b
SHA512

cad3d6215a1206c4d980ceb879e2e63403741ee9426939dd1d75339acb7683e6d41bb64fad8e277f61fd704de0e29172ab67b9da45bbfdcc7f638230038b9aaa
SSDEEP

768:HfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D7:HfVRztyHo8QNHTk0qE5fslvN/956qA

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2668	omsecor.exe
1128	omsecor.exe
760	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2272	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe
2272	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe
2668	omsecor.exe
2668	omsecor.exe
1128	omsecor.exe
1128	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2668	2272	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe	31
PID 2272 wrote to memory of 2668	2272	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe	31
PID 2272 wrote to memory of 2668	2272	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe	31
PID 2272 wrote to memory of 2668	2272	6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe	31
PID 2668 wrote to memory of 1128	2668	omsecor.exe	33
PID 2668 wrote to memory of 1128	2668	omsecor.exe	33
PID 2668 wrote to memory of 1128	2668	omsecor.exe	33
PID 2668 wrote to memory of 1128	2668	omsecor.exe	33
PID 1128 wrote to memory of 760	1128	omsecor.exe	34
PID 1128 wrote to memory of 760	1128	omsecor.exe	34
PID 1128 wrote to memory of 760	1128	omsecor.exe	34
PID 1128 wrote to memory of 760	1128	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe
"C:\Users\Admin\AppData\Local\Temp\6a1b89f2ae611c917de7850eec73430b96531bf7f8b0767b73f1d2407bcea61b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
9f402e76af5c3b5eca3d20bdc7da492c

SHA1
b1ee5f8c45c24a5b0d9423309b80a43e2f0cce17

SHA256
a0da4564e0ef499cb6a3fc4d77cb71698462dfd6278f979dca280812cf61cc94

SHA512
95f79fdba2f55faac97bd2ff7b4429312466f30245754c481075c56f58924e93488c9b71af433d49c7fe835834333f7e0fb1114de52f272b5c4daa8b85dc0d4d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
3c32e0bade486fef991cd936fb0a42dd

SHA1
9417e6f1bcdfdbbe31e3e2be9cd351755df7ae44

SHA256
c7639c02b9812dd2957bafa4a9c578f45195a5e5c0d6f87a0fe900b574d52abf

SHA512
1361ea211b962396de5bdd25695c0bdb0a313242ca456b3565dd497df6aface255ce18843bfdbfd89afe8af74fbe0430d63ca78f0a238c008267deeadaf3efc2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
8b35fa72dc9fce459718432c828c8988

SHA1
5d6c3b942eb2e693bfe5e5751d0695552c6e621e

SHA256
4627cade159073a548975165bfe61b5f71a03ac6095853b43890182873929afe

SHA512
3f459266b17e5e368221111646da87486347fdebb199cf1295909d3adffd2f12a4879803cd1f42871d74363ef7d00099eee13a395fd4e8d8a8b4b1db23666119

Download Submit
memory/760-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/760-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1128-38-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1128-45-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2272-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2272-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-26-0x0000000001F30000-0x0000000001F5A000-memory.dmp

Filesize
168KB

Download
memory/2668-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2668-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing