neconyd | 6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7

General

Target

6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe
Size

72KB
MD5

dfd32fa7fff9694bdafb4f39ecf82430
SHA1

8592f7d91c217b97b1a48b80d795302414572870
SHA256

6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7
SHA512

c09245e97f1e3533745f86a5376a054fa286e1f1ea8c921e9c557297bbc57b7e54888ce0099c3497cb0320b994f28ab0c1172febaf849a1020651a854469182d
SSDEEP

1536:yd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211X:CdseIOMEZEyFjEOFqTiQm5l/5211X

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1512	omsecor.exe
1856	omsecor.exe
2432	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1484	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe
1484	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe
1512	omsecor.exe
1512	omsecor.exe
1856	omsecor.exe
1856	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1512	1484	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe	31
PID 1484 wrote to memory of 1512	1484	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe	31
PID 1484 wrote to memory of 1512	1484	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe	31
PID 1484 wrote to memory of 1512	1484	6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe	31
PID 1512 wrote to memory of 1856	1512	omsecor.exe	34
PID 1512 wrote to memory of 1856	1512	omsecor.exe	34
PID 1512 wrote to memory of 1856	1512	omsecor.exe	34
PID 1512 wrote to memory of 1856	1512	omsecor.exe	34
PID 1856 wrote to memory of 2432	1856	omsecor.exe	35
PID 1856 wrote to memory of 2432	1856	omsecor.exe	35
PID 1856 wrote to memory of 2432	1856	omsecor.exe	35
PID 1856 wrote to memory of 2432	1856	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe
"C:\Users\Admin\AppData\Local\Temp\6305808fdba57c7bb394d3c97f49df2d2fb73b2449f8d1f9265d5e331cddedf7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
f9ec3aa78a555730bd33b724f1e60a1a

SHA1
2672956ddcf4032b179ddc2e0f0b0161caf72560

SHA256
1b3c10eca785706ec0151f2c7c4b77f79fe01fbe3063ed76ed54dd433cda874b

SHA512
285c34a662bf5b2a4ee7d7a414e266cfbf87bfb623cf36a8253f0c9b453326f5ba7c946442d391360757d25ecef0860305939f58389f2db81439d95a3a0e8191

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
89404db2029673b2c7ffcf36aaa67cc4

SHA1
d920ecdc75d1d698996fdc1fd281640ee0fe7454

SHA256
6c3f4a8a81ce75a31832db7f98e61554d213f515c55a28daad3dc7b54ede939c

SHA512
d3e9134c61ba5ab7cd1e40af74c92775b714b06fa31a20f2afe1b695f0f4753bb1931cc1986647621dfab07ea70015ff4f73b0026d3f2bae2e3ee0aa098c1f7f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
db87a52e4f59c75e207154bcce494a30

SHA1
58d62d2098c52b87d87b2cf5c80f965a1c41fb1d

SHA256
965cbfe862cb7543c915aa7efa20c312b006ad96d7e00096fb570885ce1b8866

SHA512
c1a2b072da4b895c64f41fe9d66fc7ab647c959a154f84edc806c2d6986337b2d43228e3ab20d6748528e268018f4a7751560499e7f2018344b67587919cb46a

Download Submit

Analysis

Sharing