neconyd | c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667

General

Target

c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe
Size

62KB
MD5

aedb8c1eb7c3afae98c4ac358c7f9db6
SHA1

22de0468ec542fcb302cb46a1314ddbd6c1ffdef
SHA256

c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667
SHA512

a7c115d7c52565e9f9d4843042df3246f4fbb5f7cbcabacd8edd8ffd99a76e880acdcb2f047af03bd7e77f2e420ff3f8649daa8a2fe82f26a2b7f5b5772a7582
SSDEEP

768:IMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uAH:IbIvYvZEyFKF6N4yS+AQmZtl/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2072	omsecor.exe
3020	omsecor.exe
1336	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2508	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe
2508	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe
2072	omsecor.exe
2072	omsecor.exe
3020	omsecor.exe
3020	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2072	2508	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe	30
PID 2508 wrote to memory of 2072	2508	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe	30
PID 2508 wrote to memory of 2072	2508	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe	30
PID 2508 wrote to memory of 2072	2508	c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe	30
PID 2072 wrote to memory of 3020	2072	omsecor.exe	33
PID 2072 wrote to memory of 3020	2072	omsecor.exe	33
PID 2072 wrote to memory of 3020	2072	omsecor.exe	33
PID 2072 wrote to memory of 3020	2072	omsecor.exe	33
PID 3020 wrote to memory of 1336	3020	omsecor.exe	34
PID 3020 wrote to memory of 1336	3020	omsecor.exe	34
PID 3020 wrote to memory of 1336	3020	omsecor.exe	34
PID 3020 wrote to memory of 1336	3020	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe
"C:\Users\Admin\AppData\Local\Temp\c2b062b7f29fd4feaa2066c8559023b783bb49b598c9d8524383cc695dad7667.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
95e5580ee9bb4920f002a3c812bbd1a1

SHA1
c52bdc6aac22eee1ba474f3381d475e2bdb74780

SHA256
7a0f9eec4b59202117bd1a01c108309910685f1f2c8065675f676029f1e28cdd

SHA512
2044279cb23e58dec44b9e41eabd02a7fd04eafdb8c94d79c01d666c281d7f7561a72b07f7683ad53aeba6642e0a3c9141dc89a54ae08a91d1d7622311026a0f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
5b756f4d641ef871225158997c6a47bd

SHA1
45969e0f7d323f2f53535e97a7adad452d676e75

SHA256
1e888f5db715577d685d2acc645dbdcca93566e1157fd3af527b0816ce285970

SHA512
d2fb2e4ee3a5e6ea1679af59e4c2e60b0018f9969e08732a85fbaacb31f4897d553abd5b3e4a22160af4897e07369ba9ddf7c33543a98d271841fd7c5889c347

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
a3553a70e749db88367b37f9b04ec2a8

SHA1
b49db128efa3984cc1790d411e7cc0b541e1b9ec

SHA256
450f30fe5a0196e2be3adc4efc92580d97100e6cf945cdf6f032a961d3b1e10b

SHA512
adbcc4d3e5a70ad6baf8e80be11423e5765adeef782e01c67c917d1c2b78f18189fbb643c37bf36d6aa7a1507a062f0c0d4fef5b4109e0275d27f37d905ea1bf

Download Submit

Analysis

Sharing