neconyd | c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a

General

Target

c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe
Size

61KB
MD5

619c28a8af1040cc577155be8c9a06fa
SHA1

a1a7098886bf2bb38434a4a8f5d0f445cd38820c
SHA256

c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a
SHA512

8dc564ae6b43aa9a6554c3e273f0f41d4dbed7f6499437404dff37c96f5e64111f01c6e7246c61938678bcc61aeb844abdfd70d59d324b8666ea7152e5d2b4ac
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5d:edseIOMEZEyFjEOFqTiQmTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2644	omsecor.exe
2060	omsecor.exe
772	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2628	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe
2628	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe
2644	omsecor.exe
2644	omsecor.exe
2060	omsecor.exe
2060	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2644	2628	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe	30
PID 2628 wrote to memory of 2644	2628	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe	30
PID 2628 wrote to memory of 2644	2628	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe	30
PID 2628 wrote to memory of 2644	2628	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe	30
PID 2644 wrote to memory of 2060	2644	omsecor.exe	32
PID 2644 wrote to memory of 2060	2644	omsecor.exe	32
PID 2644 wrote to memory of 2060	2644	omsecor.exe	32
PID 2644 wrote to memory of 2060	2644	omsecor.exe	32
PID 2060 wrote to memory of 772	2060	omsecor.exe	33
PID 2060 wrote to memory of 772	2060	omsecor.exe	33
PID 2060 wrote to memory of 772	2060	omsecor.exe	33
PID 2060 wrote to memory of 772	2060	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe
"C:\Users\Admin\AppData\Local\Temp\c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
f025ededa528937a41201a0ce7a81a05

SHA1
0e4b694427f9ef761a4d41cee5ca286308e50f35

SHA256
06646e975013614b901010cd6d180b7dc2b2e8eef9e41c857ffc2751476798c0

SHA512
80292fa835f86d8dfb1a53c2cfc59d0da8c345e30b3770e107bafbc25b0c413fe5bae07ad8de13da964c25bfcbb9c2f7af1c1bec18cc660c476fb8de815d9fe5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
988853672455aa3dccdb0ece06d39209

SHA1
62165262aafcf36fdc652a33033e702c20fdd7c1

SHA256
99c85d3fd9c32695018b765a6c5479781ecf57e7871bd6662b24a268263be7f5

SHA512
d46b8c80d73961eb4f1c61726370d0ab5dbdbcafa4c6f8a64eaf516f709d8844f7559ddbfceeb9bc25f22627f28bbf011eadce96db9d98055d31875d79103bf3

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
7acbe6d956806678f325c6bb1e7a15cf

SHA1
f533149c067a62e63a35a1e7aa3918c014958d3a

SHA256
dca0af0d4c5b3ac200401200c4e9aa550aac04697c52b353dd77d6f8dbdb578d

SHA512
f930f9f149a68122edaf6d10303b68a6b87f8bf415f71113e3b5b70af7fd8bc72ea9c29e79e41c4146119a6375103be2d145f549a68b6773ff344e5eca0bcc51

Download Submit

Analysis

Sharing