neconyd | 6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737

General

Target

6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe
Size

71KB
MD5

bd559dcda44a612a74f6c1e219110db0
SHA1

0e9a08ee761b1e580581cf534094454c0329b91c
SHA256

6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737
SHA512

f455c04cc62ec1863a59eb24a66c47b498d14ff38d08ebe8fa2ec2710dbd55f1de02de53b2c74aa1cb0e778c0ad76b80186fe8f3b0f494702c98820ab729a45a
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:kdseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2528	omsecor.exe
3048	omsecor.exe
2624	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
752	6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe
752	6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe
2528	omsecor.exe
2528	omsecor.exe
3048	omsecor.exe
3048	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2528	752	6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe	31
PID 752 wrote to memory of 2528	752	6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe	31
PID 752 wrote to memory of 2528	752	6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe	31
PID 752 wrote to memory of 2528	752	6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe	31
PID 2528 wrote to memory of 3048	2528	omsecor.exe	34
PID 2528 wrote to memory of 3048	2528	omsecor.exe	34
PID 2528 wrote to memory of 3048	2528	omsecor.exe	34
PID 2528 wrote to memory of 3048	2528	omsecor.exe	34
PID 3048 wrote to memory of 2624	3048	omsecor.exe	35
PID 3048 wrote to memory of 2624	3048	omsecor.exe	35
PID 3048 wrote to memory of 2624	3048	omsecor.exe	35
PID 3048 wrote to memory of 2624	3048	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe
"C:\Users\Admin\AppData\Local\Temp\6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
2d714ea31382fbe2bad53bfbc000e91a

SHA1
7cccb8b158784492ac1e9d8ddb0a9eb5f1559159

SHA256
ec4e6ab21207022350897d0ae96843a1f92fd9e34a44c2b23054b7f606e16b93

SHA512
659919a5657c4443f921f209b38489b057a9d975c26012dbdbfab4eda020a2878181869d1d1ff8d6ebdfa0d85b753fb2a1a5609b46fbd165bf02b502cb864114

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
8f9915d7a4ca30c994067cfc9f642d0b

SHA1
96dfdbefe11086d120126b19944a4092020355ca

SHA256
d825e98cb5ffac7da473e7ad25d6e80cc5e474d85a4e8e3dabd165337b29ad11

SHA512
7a3d008d38542654329c9689cad4abb7225ca31160e2af9aac5565ec8caf9300e42a129bc7c330e621d538833e2bd3b94714b3507b1722c98c16100c2be86920

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
c3ea7892305f6865c09192925ae3dcad

SHA1
de85180e263e0b934ca1d7581dce46d28c8923ac

SHA256
c5765aaf1134599279bfa2813894acb200becd685b0d4f4b3847bcecc5bf0459

SHA512
d2559436c2f20687f4529901df6e140cace667592a40bdf948a7f7bdec7ecb663b4d44a7c85273cc12d16c86777b53723901258d6684ec19dba8b720a0e92657

Download Submit
memory/752-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/752-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/752-4-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2528-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2528-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2528-18-0x00000000021E0000-0x000000000220B000-memory.dmp

Filesize
172KB

Download
memory/2528-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2624-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2624-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3048-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing