neconyd | c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590

General

Target

c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
Size

80KB
MD5

6b1d0da3d634c4d601247ec73c3a1046
SHA1

592151cc1d7029baf7a15ec4545e893142176130
SHA256

c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590
SHA512

915ab92bd344117e9eb74b8ec78cce6ec7c9a05e0341d8acedf12eb2bcd75865c3fa5aa4a27355845d5afd3a5dea298ce4e24732ef0ec673f5047328a440e695
SSDEEP

1536:ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzh:NdseIOMEZEyFjEOFqTiQmOl/5xPvwt

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2320	omsecor.exe
1472	omsecor.exe
1152	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
2528	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
2320	omsecor.exe
2320	omsecor.exe
1472	omsecor.exe
1472	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2320	2528	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe	30
PID 2528 wrote to memory of 2320	2528	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe	30
PID 2528 wrote to memory of 2320	2528	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe	30
PID 2528 wrote to memory of 2320	2528	c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe	30
PID 2320 wrote to memory of 1472	2320	omsecor.exe	33
PID 2320 wrote to memory of 1472	2320	omsecor.exe	33
PID 2320 wrote to memory of 1472	2320	omsecor.exe	33
PID 2320 wrote to memory of 1472	2320	omsecor.exe	33
PID 1472 wrote to memory of 1152	1472	omsecor.exe	34
PID 1472 wrote to memory of 1152	1472	omsecor.exe	34
PID 1472 wrote to memory of 1152	1472	omsecor.exe	34
PID 1472 wrote to memory of 1152	1472	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
"C:\Users\Admin\AppData\Local\Temp\c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
556df1b75944ff55de9f3e5c42e9e749

SHA1
66aae0720fe45502e30190b1250fc9e4db5fd9ab

SHA256
438d620a0ebe6d48923a8770dd86545efdac76e310a011b2edf24fe1fb25ffe0

SHA512
f41fb825fec9bff3f082f879e565e6cf4335cc5a16afa7728077f9daf3a8643679a2d1cc08f2fa0c17970735d1aa1c358cb7c90428cbca4886fe36529b3425f9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2a08d7ecbb2a8d696a895307850a24c4

SHA1
f337721b2f100203a098539c01379d00cc8d5714

SHA256
7175449f16e839030a1343ccfa8d9704151228a7558b83dc2d8df8b2a31a1d40

SHA512
3b4901b0a61a9cf2ea2c71f3f35b977f5b27a9970a351487f1e4c09d175693f0c97b1499adaed10e1e999de19fbdd99f3f5defea7e7fbcd55f7cf9d687d6f898

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
243f5021249a91c281aaf5b26c6d9e2d

SHA1
3be6d1df179071a3c77d4d1dca32a69acb0d6e4d

SHA256
5e962fb4da8b4bd82d1344d7828146e303414efce0d7db9b4bc6237f5fe28e20

SHA512
8f82000d262d51bb7da1d19c5ab7c98bb324bb65a43bbeb4f717930f84f350c8435839d193713e72c1f12898ce2b8c1c246e604a8f8e62e4bf377073e3aecb2d

Download Submit

Analysis

Sharing