neconyd | c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6d

General

Target

c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe
Size

88KB
MD5

48891af185479fc1f82a2a9f397a9760
SHA1

ee0a085015948917b5aa163dafe85062d236335d
SHA256

c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6d
SHA512

8e1b450a46d8333287f577840d0bc10317f82fe6bfe0875df0f76c3390615ce95eaa486ad21d83eb5847d09671971991100f5c17e84f4ba4641429dfaeba64c4
SSDEEP

1536:Md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:0dseIOMEZEyFjEOFqTiQm5l/5R

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2240	omsecor.exe
564	omsecor.exe
2936	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2492	c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe
2492	c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe
2240	omsecor.exe
2240	omsecor.exe
564	omsecor.exe
564	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2240	2492	c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe	30
PID 2492 wrote to memory of 2240	2492	c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe	30
PID 2492 wrote to memory of 2240	2492	c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe	30
PID 2492 wrote to memory of 2240	2492	c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe	30
PID 2240 wrote to memory of 564	2240	omsecor.exe	33
PID 2240 wrote to memory of 564	2240	omsecor.exe	33
PID 2240 wrote to memory of 564	2240	omsecor.exe	33
PID 2240 wrote to memory of 564	2240	omsecor.exe	33
PID 564 wrote to memory of 2936	564	omsecor.exe	34
PID 564 wrote to memory of 2936	564	omsecor.exe	34
PID 564 wrote to memory of 2936	564	omsecor.exe	34
PID 564 wrote to memory of 2936	564	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe
"C:\Users\Admin\AppData\Local\Temp\c1ed09c4504f234b83540c8002c5676bcd12a4723c2307a88328ff803086de6dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
56ed59945ad94393aac5a6e4a9883b3e

SHA1
03bc91ce3dfbe770ad812b6e88a1046d65003654

SHA256
34d0284078626c17f5a7bb32cb0e5d570071c3096c230bd58f6f8172f62735d0

SHA512
ce489d5a648053f95fd97aca47c5ade10e2d44a28255b129989ad89beb069b3dce56b2d2d7717803a6bd24e4dba5f6477da8feea8520c595457a7934c7f9c955

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
aabad66e8ffcd556479a6c3334f0e1a0

SHA1
325088df9872a97f66b36df3a2ca27c0123a842d

SHA256
f2b47e21de4d90c7888e3cab7c02f7de93753fe973513ecd962182f9913a8929

SHA512
8c3e5e66a6c1fa207f4c4e85642519f0be2f00d1cae85c76e055f64ac277c08c422a8e256fc1976ae0c73090b5ed3b529bc0d394d341ba46a4647700e619ac55

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
d289483e9405b3b14ad323196c276bc0

SHA1
09e8a7d2fb991919cc1e580dda4435a7b12e85e1

SHA256
46f7e209da1ff97dda3939e93359fed6ffc7f61e25e81c02d51967f161fba414

SHA512
1f13ff3e9a36af4cabebd0d4e2c323a13993cf659b813475e3eddb8b24404c1f7f59c552e88a1dad710ba31c3c361437ae0f3ff25bdb02ccbabe88afa256ca50

Download Submit

Analysis

Sharing