neconyd | c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730

General

Target

c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
Size

61KB
MD5

5abcdf729097346ef78f2f0de622e985
SHA1

f8c651f1f42bfdae19805eedb6a8ed143c51e99f
SHA256

c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730
SHA512

1751a20c427b07e6728fe761762fd6240a15725866fedee9e922948e5ae1dd04d16a136df9fc5a16061cd64734e2dd6eb52b1bd95f504bf5e950c9c18c77ce0b
SSDEEP

1536:kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZEl/5:cdseIOMEZEyFjEOFqTiQmCl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2344	omsecor.exe
768	omsecor.exe
1848	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1372	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
1372	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
2344	omsecor.exe
2344	omsecor.exe
768	omsecor.exe
768	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2344	1372	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe	31
PID 1372 wrote to memory of 2344	1372	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe	31
PID 1372 wrote to memory of 2344	1372	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe	31
PID 1372 wrote to memory of 2344	1372	c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe	31
PID 2344 wrote to memory of 768	2344	omsecor.exe	33
PID 2344 wrote to memory of 768	2344	omsecor.exe	33
PID 2344 wrote to memory of 768	2344	omsecor.exe	33
PID 2344 wrote to memory of 768	2344	omsecor.exe	33
PID 768 wrote to memory of 1848	768	omsecor.exe	34
PID 768 wrote to memory of 1848	768	omsecor.exe	34
PID 768 wrote to memory of 1848	768	omsecor.exe	34
PID 768 wrote to memory of 1848	768	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe
"C:\Users\Admin\AppData\Local\Temp\c6b26075ec0e704915a1a6569da784da2cd033a3c8e82df9a88638f205928730.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
2d90c64f5359bab5e38188d2ead0e30e

SHA1
3637462a38a68d410997fabdd311a6da2583ebd3

SHA256
acdb6ffb5b73227e01134fcc7b7e6664dd5eff259f02a49e48dab614a1a25784

SHA512
f83f581528e690ffad673f2a649b43a68a192c93698ed446f8599480384a8c67d36d02b863c03b19dd6c9cb8599e357175aba2399203c70b1f7b38c5990e67e7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
f7186926392df209d756a3dec934e2b0

SHA1
ad4974fbed0bd420a709f9164aab9f522bee9ba9

SHA256
5dda8ce44d0f51ed6d74b23a71e0784420269470fa0af72dc663925b7c82bfdd

SHA512
ff449e4a0146acb79042791d56d5f1567aea4dce0ea164cc3101befab748a2c53240a150929ec4c7a5392634da98619adb494affaebe12715e7160ddc21fc769

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
96684e72929e45620dc0eaddde116212

SHA1
0497f802d9e35cf70c3602622cff282232fdb1d3

SHA256
6e7b682b72c4331303f4e1139a61be158b2284d19706476c16b83c84812f48f3

SHA512
00effaed0b1d51dde403bf3f13f90a916dbc534cbb373e35eccd139fccd0e5d7fed4cd47498308b55013c7040d7bdb52b7c0885eb25bbe9378d37bdad2512b83

Download Submit

Analysis

Sharing