neconyd | c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a

General

Target

c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe
Size

61KB
MD5

619c28a8af1040cc577155be8c9a06fa
SHA1

a1a7098886bf2bb38434a4a8f5d0f445cd38820c
SHA256

c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a
SHA512

8dc564ae6b43aa9a6554c3e273f0f41d4dbed7f6499437404dff37c96f5e64111f01c6e7246c61938678bcc61aeb844abdfd70d59d324b8666ea7152e5d2b4ac
SSDEEP

1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5d:edseIOMEZEyFjEOFqTiQmTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Downloads MZ/PE file 1 IoCs

flow	pid	Process
49	4168	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
2988	omsecor.exe
2108	omsecor.exe
4624	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4360	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2988	4480	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe	87
PID 4480 wrote to memory of 2988	4480	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe	87
PID 4480 wrote to memory of 2988	4480	c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe	87
PID 2988 wrote to memory of 2108	2988	omsecor.exe	105
PID 2988 wrote to memory of 2108	2988	omsecor.exe	105
PID 2988 wrote to memory of 2108	2988	omsecor.exe	105
PID 2108 wrote to memory of 4624	2108	omsecor.exe	106
PID 2108 wrote to memory of 4624	2108	omsecor.exe	106
PID 2108 wrote to memory of 4624	2108	omsecor.exe	106

C:\Users\Admin\AppData\Local\Temp\c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe
"C:\Users\Admin\AppData\Local\Temp\c612ba11465c90d3320090cad81c76ea3d9b7664ce46858fa493f534eda5774a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4624

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTM3QzE1RDUtQkVFQi00QzE4LUFENjctRDRENDJBMDJCQTEwfSIgdXNlcmlkPSJ7NEY1NTk3NzktQjMyMS00NzM1LTkwRDgtMkFFNDRCQjMyMTg2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjM3OURBRUYtNkQ2Qi00MkI5LUIzNjgtRDFBNzNDQkEzOTc4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU0MjI3MDk3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e59f61557a880b9fe3fbbebf14c59ed9

SHA1
f31adf307de855e05dfa2d37f9e6051407dc807e

SHA256
755e93e6c0d1121286ccbc16d99cce34faf201aa6489e2b96f6dce350e7f04a9

SHA512
c56fe317ca4e9ce7a7c799c3919b9c28d68ce2d9f429f144645a1eeac43c3dad398038689ae59ed96c6480509ea4f539718dc606065a365d8c98141e8b6b4fbf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
f025ededa528937a41201a0ce7a81a05

SHA1
0e4b694427f9ef761a4d41cee5ca286308e50f35

SHA256
06646e975013614b901010cd6d180b7dc2b2e8eef9e41c857ffc2751476798c0

SHA512
80292fa835f86d8dfb1a53c2cfc59d0da8c345e30b3770e107bafbc25b0c413fe5bae07ad8de13da964c25bfcbb9c2f7af1c1bec18cc660c476fb8de815d9fe5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
7fb0b72f5d0ba827a9cc20403ac6d40e

SHA1
ff943d3cd4e84a140cd9911265240aeb606d4c6c

SHA256
658699531815ad6a2c980c8d4b3b9efce75f6dff4105de9b6fcd0c2169155724

SHA512
ab3cdbe35d918c60e6ea945bcad8b94f7d74bcc1059963206edee150651fcaf60d65a4d40f23dbc00792421013076a76c4cba845ac69bdc60bfdbe8ec17806db

Download Submit

Analysis

Sharing