neconyd | 6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6b

General

Target

6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe
Size

61KB
MD5

4e515099a735e85dc8251b8d40074ef0
SHA1

d2c15cdc6dab2c7bb382725e392169f3335f83e3
SHA256

6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6b
SHA512

214a9de1177e111e2079b81e0634e357eb86fd02642375ce6f3b4ddcb012b73b8e32fe2eef96cda3771ffdbb65e908e30616ab14a60aec79428c501702ad9ff2
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5X:XdseIOMEZEyFjEOFqTiQmil/5X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2992	omsecor.exe
2108	omsecor.exe
1484	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2900	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe
2900	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe
2992	omsecor.exe
2992	omsecor.exe
2108	omsecor.exe
2108	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2992	2900	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe	30
PID 2900 wrote to memory of 2992	2900	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe	30
PID 2900 wrote to memory of 2992	2900	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe	30
PID 2900 wrote to memory of 2992	2900	6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe	30
PID 2992 wrote to memory of 2108	2992	omsecor.exe	33
PID 2992 wrote to memory of 2108	2992	omsecor.exe	33
PID 2992 wrote to memory of 2108	2992	omsecor.exe	33
PID 2992 wrote to memory of 2108	2992	omsecor.exe	33
PID 2108 wrote to memory of 1484	2108	omsecor.exe	34
PID 2108 wrote to memory of 1484	2108	omsecor.exe	34
PID 2108 wrote to memory of 1484	2108	omsecor.exe	34
PID 2108 wrote to memory of 1484	2108	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe
"C:\Users\Admin\AppData\Local\Temp\6cbaa35551c78477f5fda5dca35458ab3a84e15f8c9b2ccb049a10b9f294ac6bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
6422fe077b98321be12a5c51f5c7bf0e

SHA1
e7501650a421cbb8d12ce7d103ac2c667a197304

SHA256
527b3647a499fd630b47d353731a1872978c7fe0c7ba4a049d7fc146347cd5eb

SHA512
62c848f66e2a00a233489a43caa46328400ac978fa2f56854900c8c4a8cebd27335d8f1353ea2503e07014f3b75d9e5a5bfff09ddf5f06e965cba78043368a4b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4d8ad15344235eaf9fc58d39e1b7ec69

SHA1
5c2c88a0ba637c675b8895ae65b3aa31783fe448

SHA256
3201e066c90819633dfb4a9f6cb0dcb81331c7a6f91f1bfc0eb3fc7f6511869a

SHA512
915b7c2e25fc207d7806bdb2432154067216104e37bad38e1d30aa90a211e0537d420765b37c99fe371518285bfa38360e8b4bf725e9d88db156649457b18108

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
367ac5b56d9d4bed78b84e73fc0f0d6e

SHA1
29ed5069f27741717d5b7dda48bee337ce443155

SHA256
d00bcc120f59275ac1dd3179990cee214a96d44e6d64bd8beecebb012d61df11

SHA512
9dee2964419eb516e0851917a99a7e594436c49ae2cfa6c1558540480b104a2633863d020dbbbdedfa7d10db000e7c1ec8501f783df63b20e690199f12b7b8cd

Download Submit

Analysis

Sharing