neconyd | c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590

General

Target

c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
Size

80KB
MD5

6b1d0da3d634c4d601247ec73c3a1046
SHA1

592151cc1d7029baf7a15ec4545e893142176130
SHA256

c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590
SHA512

915ab92bd344117e9eb74b8ec78cce6ec7c9a05e0341d8acedf12eb2bcd75865c3fa5aa4a27355845d5afd3a5dea298ce4e24732ef0ec673f5047328a440e695
SSDEEP

1536:ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzh:NdseIOMEZEyFjEOFqTiQmOl/5xPvwt

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2224	omsecor.exe
2980	omsecor.exe
2904	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2620	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
2620	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
2224	omsecor.exe
2224	omsecor.exe
2980	omsecor.exe
2980	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2224	2620	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe	30
PID 2620 wrote to memory of 2224	2620	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe	30
PID 2620 wrote to memory of 2224	2620	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe	30
PID 2620 wrote to memory of 2224	2620	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe	30
PID 2224 wrote to memory of 2980	2224	omsecor.exe	32
PID 2224 wrote to memory of 2980	2224	omsecor.exe	32
PID 2224 wrote to memory of 2980	2224	omsecor.exe	32
PID 2224 wrote to memory of 2980	2224	omsecor.exe	32
PID 2980 wrote to memory of 2904	2980	omsecor.exe	33
PID 2980 wrote to memory of 2904	2980	omsecor.exe	33
PID 2980 wrote to memory of 2904	2980	omsecor.exe	33
PID 2980 wrote to memory of 2904	2980	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
"C:\Users\Admin\AppData\Local\Temp\c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2a08d7ecbb2a8d696a895307850a24c4

SHA1
f337721b2f100203a098539c01379d00cc8d5714

SHA256
7175449f16e839030a1343ccfa8d9704151228a7558b83dc2d8df8b2a31a1d40

SHA512
3b4901b0a61a9cf2ea2c71f3f35b977f5b27a9970a351487f1e4c09d175693f0c97b1499adaed10e1e999de19fbdd99f3f5defea7e7fbcd55f7cf9d687d6f898

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
4f130a0b4cf406ddd9af593af9205158

SHA1
7cefb9f90e21b6ed971f5490c6b0725aa4a141a8

SHA256
ee7df972530b96d3267454816da906b142be49e995dc7205f95a1bda12d77a9b

SHA512
dddda4c6e87fec8dfcaa019e80d9419458228ffac643cfa7426ce65a29e50d0838aaa58ce8258b189573e84c9b73fb5ae70432e498e8e1bbf76e4e3d8248af44

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
044324bd1d0495f35425fdcd50b5a5b4

SHA1
77aee1aabc9b2e0fa1e78d6f7981235b4bd3a3cf

SHA256
de2aa0f4f56f847d5cf5a04d5bdf5a2bb836ebf7e4437516c369b64402785ce8

SHA512
980f0dd03d94448fa03b62391e2704ad9767519408052085e9262e3ddaa9522d5311c0f36988caeb80e7b62c08399693432c0ec5112c8acf7d43034a0a5fdacc

Download Submit

Analysis

Sharing