neconyd | 6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943

General

Target

6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe
Size

76KB
MD5

924adf3a4133b8454a9fffa391a51580
SHA1

13b2b4c5bea687a6c30f546b8c368d156725843d
SHA256

6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943
SHA512

298c672e19e809a115e7f7c086e88c7f419aa88305e064096e4c2490a8b5200545e69e2ba0faef2b3221cf0b3ab5459797436188293eef1262f92b81ef4a0d7b
SSDEEP

768:aMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:abIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2540	omsecor.exe
1440	omsecor.exe
1924	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2444	6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe
2444	6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe
2540	omsecor.exe
2540	omsecor.exe
1440	omsecor.exe
1440	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2540	2444	6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe	30
PID 2444 wrote to memory of 2540	2444	6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe	30
PID 2444 wrote to memory of 2540	2444	6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe	30
PID 2444 wrote to memory of 2540	2444	6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe	30
PID 2540 wrote to memory of 1440	2540	omsecor.exe	33
PID 2540 wrote to memory of 1440	2540	omsecor.exe	33
PID 2540 wrote to memory of 1440	2540	omsecor.exe	33
PID 2540 wrote to memory of 1440	2540	omsecor.exe	33
PID 1440 wrote to memory of 1924	1440	omsecor.exe	34
PID 1440 wrote to memory of 1924	1440	omsecor.exe	34
PID 1440 wrote to memory of 1924	1440	omsecor.exe	34
PID 1440 wrote to memory of 1924	1440	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe
"C:\Users\Admin\AppData\Local\Temp\6c7d73857c1d2c7c21d700cd3b994834f71c948080c438fd4f92156f30cb7943N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
c8c8c9542d0bb7a8ca2a12088a3561fe

SHA1
9e4ce13a2f6f9228a3f9db70f9cd74178598ac64

SHA256
92662463897f049ea77a8291755ba0ad49ba8836d5351b7f2aa04112a81efc04

SHA512
5076adc44a15466dbf65dd34704bf42e2e548b13880ca7cfadd8f677cd6a513fac981d5ba8859ccec6edabe175daef313c17bf5a22e8077a6bd998801fea4704

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
40e9e9b40c3bde302121e296a4e2fa58

SHA1
7956176782b45ba01bb9227966ee70c7b0a229b1

SHA256
1fbcc767e7e91786c1ac601c372a06c30e28fb4087898d5e53388b94d57559d7

SHA512
1905d40d01935b05dcecd372388e480ef1f263d398cfbdfba83b528639659a4c741b399f53182e67c2fe58268b2cebb041b40213238533d3d8d2c0cd76ad7477

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
7e84c325ef11a91d07970f83440cc3a6

SHA1
e86b116176be57541d69ea2459641212b3c5199e

SHA256
32153c77f059a983f9a7bfb5391de41c1fdc366584dc9a5114a4d1b5448b93ed

SHA512
5c1fa3393078b8d3c42b8ed3258d9de655aba9eba972cdfd5d39c556da135b4341c3a97cfce66fc658322b7ed7a99d26f257451d2ddf7b5f760140df9140d7ac

Download Submit

Analysis

Sharing