neconyd | 6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab

General

Target

6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe
Size

65KB
MD5

bb250af5f098117ea109a96e7335ec27
SHA1

6e7ef84c96da818949bae42abf5c10ae5746a38e
SHA256

6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab
SHA512

0e4ed40a1ee54127ccefa7776e4a655b3119383c591da05f2ce9663cf4c294b9d9873e3cee06547a5c5f5f3a959f14d795730777eba4198675736dabe46af7d2
SSDEEP

1536:hd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/HzX:RdseIO+EZEyFjEOFqTiQmRHzX

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2724	omsecor.exe
2888	omsecor.exe
1540	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2680	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe
2680	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe
2724	omsecor.exe
2724	omsecor.exe
2888	omsecor.exe
2888	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2724	2680	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe	30
PID 2680 wrote to memory of 2724	2680	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe	30
PID 2680 wrote to memory of 2724	2680	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe	30
PID 2680 wrote to memory of 2724	2680	6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe	30
PID 2724 wrote to memory of 2888	2724	omsecor.exe	33
PID 2724 wrote to memory of 2888	2724	omsecor.exe	33
PID 2724 wrote to memory of 2888	2724	omsecor.exe	33
PID 2724 wrote to memory of 2888	2724	omsecor.exe	33
PID 2888 wrote to memory of 1540	2888	omsecor.exe	34
PID 2888 wrote to memory of 1540	2888	omsecor.exe	34
PID 2888 wrote to memory of 1540	2888	omsecor.exe	34
PID 2888 wrote to memory of 1540	2888	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe
"C:\Users\Admin\AppData\Local\Temp\6f13e6496c204a1292f80acf695631f0526d04870ce34afa68b791aec22082ab.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
7824bffb3b4db752493dcfa3e7627c90

SHA1
60b5be9fae8289ce290e63136a88e2f4c7583894

SHA256
e16ce8350619d63ee8b90dcdce1ddd010968a4232d51092c853c648b56314dd9

SHA512
ea6ff30a04e03e4cf05b6d995862e5c98f40d8fb3806bc9e99fbe6d1392b879114d182490f34ce62675a9b652b4627dca893dd0dc991a209e6038d9ee987dde5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
9a7ae2404a6470b5a63a5abb7881e77e

SHA1
cbc6bd3cd2412ba39561d9f09127ac6f47721835

SHA256
c58ee35315196651fd5fe8f991f7da7cbb4ade53943ff8a541cf536a8f0d6e71

SHA512
b285739fcf7ea67d67f0d1ae89c2a51f49c5a0de7e637cdb47efca49d5f2a57c86d001e163f32d2dfe87c7434938af538046cec424c08d25380cb42e210484d3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
97cdd91583a717015a3cd9de027b11ab

SHA1
1d434521c1e19177a787cd8457806e1ef9faf0c8

SHA256
471180835e9851d2187e6b0dd297f2a212c1b23832e9ec1f861d63624fa5b671

SHA512
7207f9a7ca329b1fa9f5aacd2c1c2e9ede93b4ba35b00d9ca08634d65f1783de162adffc3bf6b934e3c5348d68d245b6459ab5513aef6402b8c94965395a22b5

Download Submit
memory/1540-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2680-8-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/2680-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2680-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2680-9-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/2724-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2724-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2724-25-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2724-24-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2724-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-33-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2888-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing