neconyd | 3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574

General

Target

3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe
Size

89KB
MD5

2920d9e395a954b8d7efb98ab09d2200
SHA1

5103f927c8ff15d870aeee9a1315355d22b3a358
SHA256

3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574
SHA512

c7ec44c077d5f09ca815670bc691de3eadb8437e2aef405aa25d6989d58e3661c723ac4ef4d5796c029d5afee170e5fa2b09ab38bc357971899d929900d50b47
SSDEEP

768:DMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:DbIvYvZEyFKF6N4yS+AQmZTl/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2568	omsecor.exe
604	omsecor.exe
2680	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2552	3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe
2552	3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe
2568	omsecor.exe
2568	omsecor.exe
604	omsecor.exe
604	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2568	2552	3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe	30
PID 2552 wrote to memory of 2568	2552	3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe	30
PID 2552 wrote to memory of 2568	2552	3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe	30
PID 2552 wrote to memory of 2568	2552	3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe	30
PID 2568 wrote to memory of 604	2568	omsecor.exe	33
PID 2568 wrote to memory of 604	2568	omsecor.exe	33
PID 2568 wrote to memory of 604	2568	omsecor.exe	33
PID 2568 wrote to memory of 604	2568	omsecor.exe	33
PID 604 wrote to memory of 2680	604	omsecor.exe	34
PID 604 wrote to memory of 2680	604	omsecor.exe	34
PID 604 wrote to memory of 2680	604	omsecor.exe	34
PID 604 wrote to memory of 2680	604	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe
"C:\Users\Admin\AppData\Local\Temp\3c5c60383def85b22e747d35915ba32c9c63b20eb0b9360464be48d9f0313574N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
524e0d1d296c93c07e4151cf357699aa

SHA1
c77585161b65eea12f72e58cc9c970403afefb7b

SHA256
cde197106a55df99adff709bf3c9a9ba773781871ae86456795768f00ddbd074

SHA512
8758c37b4be2eb074002cfc4a1aaa22ab7f96b525ba340e5f1abad83aec6972f1de37569b8ea3b5fcba6b5e0ae86bcbb5bf03d3f3b5e7cd648cdd3fc85ac4f64

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
fa0c30191b1326c2c0aafbd4f2f2e847

SHA1
f0cf29a55619f6908a04f1c5004b2c00c87a9478

SHA256
ad94a1617ed49e50483121073da00783d22d18d748abf04b036907f3a63c7354

SHA512
25eee6354ae309891ee146047c99fe7a04906736f02904b7d5635e169ec49b7904ac10cd3965909daf747a54ca27da96b68bab3dc51e4e521d978738078a99fd

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
b3f910c6d4ef06401cce745606cafb53

SHA1
57f9bf3996e390122334fd0a35eaf0c8a19e130b

SHA256
b776086b64c5fe90c2c8c8707b56e60879d4b84b551765a90ef7791f7f0ada37

SHA512
2bbddc7d0a3d0105e27af7ef69796324de7550c1369d0af0d57dd9cee77a23d31407a7796635ea22032c20352330267e23a85e5c669738fd441ba84687502f1e

Download Submit

Analysis

Sharing