neconyd | 6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571

General

Target

6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe
Size

61KB
MD5

2d6d5374de73373cbc7625527ee63110
SHA1

2f56053b9adf1f48739dd47062ce8df726329f01
SHA256

6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571
SHA512

fd607c5a9dec7262a64234ce76a2fb1569217ec606fd7d402677c07e7798ae3c93bcd0a4bcbce0879bbc67d10e10751f6f9773073afeec9216e7936225d079f3
SSDEEP

1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5n:XdseIOMEZEyFjEOFqTiQmTl/5n

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2368	omsecor.exe
1784	omsecor.exe
2316	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe
1740	6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe
2368	omsecor.exe
2368	omsecor.exe
1784	omsecor.exe
1784	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2368	1740	6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe	30
PID 1740 wrote to memory of 2368	1740	6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe	30
PID 1740 wrote to memory of 2368	1740	6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe	30
PID 1740 wrote to memory of 2368	1740	6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe	30
PID 2368 wrote to memory of 1784	2368	omsecor.exe	33
PID 2368 wrote to memory of 1784	2368	omsecor.exe	33
PID 2368 wrote to memory of 1784	2368	omsecor.exe	33
PID 2368 wrote to memory of 1784	2368	omsecor.exe	33
PID 1784 wrote to memory of 2316	1784	omsecor.exe	34
PID 1784 wrote to memory of 2316	1784	omsecor.exe	34
PID 1784 wrote to memory of 2316	1784	omsecor.exe	34
PID 1784 wrote to memory of 2316	1784	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe
"C:\Users\Admin\AppData\Local\Temp\6d3d742cfd5d2f95e576200c5f5d868842d81a5b21faebdeb2225216af6b2571.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7838514e3189111da1d47ed6422e0ef0

SHA1
af409beeb187e04417b161e7e187feb94fd480ac

SHA256
4ba8cf6ca6acbffee2c6d8a3293a57e8053f907adab853aac86af2295d2a5eda

SHA512
fe553727ed52dfcfede0d3d7125cc5ffed473a1832d67fb34768b99ad977dd95a256292b178c7dc2d82411368a701c32e9658fefa31c32230d78ed2a1c922884

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
1ae95c59e2970d5101cdf175b7ac1c52

SHA1
25f91a69f98b3c48e78ca9adbcd941355f663cef

SHA256
f13c99122e8bb867ff8bf4ca3341cb16bbc74218323c1a0a35f33b39873b17a4

SHA512
3b0a97a0cd4d2299e5f6be440e9684052e377dea6564cd9e18c9ca19d16e91a04450f994a92efa697291117f25fac055a03de9c6cfe46c2267a981b01ff8e659

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
2c3c397555363005d0e9494e8cfa3719

SHA1
cd7f48382af485bd4a8d8060a15b0aff310af6f2

SHA256
5f0640ebb1e0839e3eff261699ac7aa7a481a3e8c77e8a7054d4e61e430d700f

SHA512
48e647d1e2987591aee44882bfd89c96e6756caf9ecc43e310d482a2a7c977e5c15e0ff8f7f224154e77760700f9a0e23f7e78748e35c33bb4b8cff5c3e30bb8

Download Submit

Analysis

Sharing