neconyd | 2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76

General

Target

2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe
Size

90KB
MD5

7d8abf864e959016909ef1bb03a5283b
SHA1

fef274a39a2396d64bcddc5b72fc8f471091a4ec
SHA256

2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76
SHA512

89b73f1b4b6c061fa094c4b9684f583684424c67ad4a6d82b66727b91fb5cd1ca4771fbb11b4dc78d5dacd1457baed020da66f8ad20a08527f40ed399b12e05a
SSDEEP

768:kMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA6:kbIvYvZEyFKF6N4aS5AQmZTl/5C

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2568	omsecor.exe
1992	omsecor.exe
2948	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2500	2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe
2500	2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe
2568	omsecor.exe
2568	omsecor.exe
1992	omsecor.exe
1992	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2568	2500	2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe	30
PID 2500 wrote to memory of 2568	2500	2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe	30
PID 2500 wrote to memory of 2568	2500	2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe	30
PID 2500 wrote to memory of 2568	2500	2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe	30
PID 2568 wrote to memory of 1992	2568	omsecor.exe	33
PID 2568 wrote to memory of 1992	2568	omsecor.exe	33
PID 2568 wrote to memory of 1992	2568	omsecor.exe	33
PID 2568 wrote to memory of 1992	2568	omsecor.exe	33
PID 1992 wrote to memory of 2948	1992	omsecor.exe	34
PID 1992 wrote to memory of 2948	1992	omsecor.exe	34
PID 1992 wrote to memory of 2948	1992	omsecor.exe	34
PID 1992 wrote to memory of 2948	1992	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe
"C:\Users\Admin\AppData\Local\Temp\2c5e3dd714059961c81f62f787103661aceffb8c04435d699f41e38090cb5a76.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
2e6aa43df4788a28fa2c7dbe5ae584bd

SHA1
e3228257dbb163da4879f5e7b3bc09dba730dd85

SHA256
e269f616135e88717f541577cd86bd2ef261f112f8c13a16480093fdfc0ed7a1

SHA512
c2dd1a4483ad32be42cba40f48a4442d7317f78b35e9a38903f432b9aa8cb52dffa78939c663191cc2fbe0ba2bbde2d210c6c9306930912e0e3bf0ef4cfacefa

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
5d373c7c95e53085405044ded6e95af1

SHA1
95d285cf5e31ba9eac2047c0853eb2ab8d75649e

SHA256
6424ce91fc481a2bcefcd5a4a3b2543d39c4240187cf5a57972a0b5d826e2174

SHA512
ec1581827c7c5a012b51585a5f2f7d4f9bf910bf722a151a74d56812b1860b102cd7a13efe140213595bb17f7cc50d62d9fc0bb4dc4058e098b075abe89aed7c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
bca4b2b1377788d097845d556f7e571d

SHA1
86886a96f3091de4a7db3ccab2fce9641219c77c

SHA256
1f545bfbfa4c35e44a97c1f7717e09421ddb6d1306fe507280ed8e014d26a402

SHA512
9f25019829b052887c8ec23ef087f4aced1336094ca36dcab27ccfc90b443e4b10455246b2fde454e3ae0cacafe986855f73d5ede0c6a2d90b6b9936d56ec957

Download Submit
memory/1992-30-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1992-39-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1992-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1992-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2500-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2500-9-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2500-8-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2500-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2568-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2568-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2568-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2948-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing