neconyd | 5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490

General

Target

5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe
Size

80KB
MD5

431e044ebf05b222a2a8135ddc28cb70
SHA1

9aadb3aeae060ffc8f6bd055a4a06413a135eb4c
SHA256

5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490
SHA512

39958eaef07cad655fa0858af0abe45c1a6551aeae8ffda7e3879b40f9c324b1ec329227a6e810f069e83f98174f06f6ce89960ddb69c888fd70ec8605429ba4
SSDEEP

1536:Od9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:WdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2724	omsecor.exe
2840	omsecor.exe
2948	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2708	5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe
2708	5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe
2724	omsecor.exe
2724	omsecor.exe
2840	omsecor.exe
2840	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2724	2708	5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe	31
PID 2708 wrote to memory of 2724	2708	5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe	31
PID 2708 wrote to memory of 2724	2708	5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe	31
PID 2708 wrote to memory of 2724	2708	5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe	31
PID 2724 wrote to memory of 2840	2724	omsecor.exe	33
PID 2724 wrote to memory of 2840	2724	omsecor.exe	33
PID 2724 wrote to memory of 2840	2724	omsecor.exe	33
PID 2724 wrote to memory of 2840	2724	omsecor.exe	33
PID 2840 wrote to memory of 2948	2840	omsecor.exe	34
PID 2840 wrote to memory of 2948	2840	omsecor.exe	34
PID 2840 wrote to memory of 2948	2840	omsecor.exe	34
PID 2840 wrote to memory of 2948	2840	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe
"C:\Users\Admin\AppData\Local\Temp\5c3f04b162538d05c368c5c4f3123e4a914c64200b5fdb91e524ce5f977ae490N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
281dcbafce34479ee7ddf9fd3d859629

SHA1
97a424dc726f8ecd68f8346430224cb37e9b5bdc

SHA256
b5767afd76c3e237d24f498900a501a353c706cfc94637f57b1a09d3c3ade960

SHA512
84af1cd321fa02b2c206a571f9e774c6474cbfd36e697d0c89b51c9dac5a69356c55770ff8307577edd42faff62a3cc2f9ffefd0892b404d33f07cd648d35bfb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
4865ee7de1deab80ee74a23d065cb541

SHA1
83a17afa28723454fa5abfba17d8db9e7dee1892

SHA256
9ea17b04acbf67d7bcb5d9b58d21093e0d4a30a838fc17f14085a44c3944f0a2

SHA512
8658141d1d117575cf5a666804aee8496586b01d69183f78909d22317dc59d6b832e425cab47feef22d34f1acaba6adcbd55b229afc7a2f144c25b18323e4b90

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
8a984fc91f9735f2cd21879084dde71d

SHA1
4f856db9eb4e4fcd06cbbeca75a9ee65566a8860

SHA256
548c50f6809d4a290e7d987c5846cc05d2275dc4f10ff94331a5b3930b517a2a

SHA512
4782b486ebb71e461d623c96dce86f37d00f39de309382ee50562aa060ead68984bae2fca0fa4a3c572d655dbf250e1d4515ea3916ee30895b8755112e95d74f

Download Submit

Analysis

Sharing