neconyd | 6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd

General

Target

6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe
Size

64KB
MD5

890017cc214815888bd06f01d6ea9ba9
SHA1

980b4f308aef43b85a005a490bacfb4eafddb2ac
SHA256

6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd
SHA512

2a121698c866435f0151ae602d38cb1e6926a3e599a486c4076217a9593ec25f318cdeb3e385fb2aea877461e452c734e5ca711aab96816f4ee362b8dbed281b
SSDEEP

768:oMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAV:obIvYvZEyFKF6N4yS+AQmZcl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2388	omsecor.exe
1504	omsecor.exe
320	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2156	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe
2156	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe
2388	omsecor.exe
2388	omsecor.exe
1504	omsecor.exe
1504	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2388	2156	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe	30
PID 2156 wrote to memory of 2388	2156	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe	30
PID 2156 wrote to memory of 2388	2156	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe	30
PID 2156 wrote to memory of 2388	2156	6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe	30
PID 2388 wrote to memory of 1504	2388	omsecor.exe	33
PID 2388 wrote to memory of 1504	2388	omsecor.exe	33
PID 2388 wrote to memory of 1504	2388	omsecor.exe	33
PID 2388 wrote to memory of 1504	2388	omsecor.exe	33
PID 1504 wrote to memory of 320	1504	omsecor.exe	34
PID 1504 wrote to memory of 320	1504	omsecor.exe	34
PID 1504 wrote to memory of 320	1504	omsecor.exe	34
PID 1504 wrote to memory of 320	1504	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe
"C:\Users\Admin\AppData\Local\Temp\6bed8d1ef662498f47aa5c77dea06f330a918873c4322edc54a57bb63e4ccafd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
5257ecdadc200cdb5db3f316b063f7d6

SHA1
948df0b3e21e704e91b2284f49c398d86212f1f4

SHA256
e1a4e85cf19eb4f4aeae42209e679c4ea79b8080041a39010742a4c90782e77a

SHA512
81096b9e7fa942910d385a0426b113ddf1c62f51854ae4b2bbe9c84afd5a7d5b3072f8af8984dd7a9b1ccc6e6baa99365fadb4b334d91ba1a87bc686527d9f5b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
ab6ea2953c6c7441161f3c362b8c02e7

SHA1
e21ea9f80c902f7f1a52fe338139aa4e09fcea1a

SHA256
4c2aad7367fe20cba10d6e49ad9f6de854513e802a10cafcc1fd969b36272994

SHA512
21ee8e55fe3f42add67d9e8bc9dada8f7284790b9d65a4165eada82bc565cca6797ffdd407226a4a31b749b298fd2ac252e8925a17afe132cd1673be893ba51a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
bad718726609940131ec614cee84cd0e

SHA1
87d643f1497e2dc2ec52dc3fe6ce07aa861b4477

SHA256
2f6030ea9cb23d2dacfccea895f9327d0fe7d7ebf2c1281df6225964dbb4baab

SHA512
adaa29b81d363f62ca722bbcae04cc851b6e8805ec3ec96647db4628552730c0600636508b4f4bca98c9734d6379333f3265923d36d23108ff5b09153a08c4fd

Download Submit

Analysis

Sharing