neconyd | c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0

General

Target

c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe
Size

80KB
MD5

bc93bb37f28c88b63de5ae3e2dc14206
SHA1

9ac40291bc4f21b7e32483a5450a994363a1b9ff
SHA256

c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0
SHA512

3f27bd6767254c3c2ad2eaf523f2c346362bfab90d25b6f6275af8169001987a395044673b80da2d09a5f8004c1dd62550044e29a968925ae54b718dae0b4361
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzL:LdseIOMEZEyFjEOFqTiQmOl/5xPvwP

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2464	omsecor.exe
688	omsecor.exe
1884	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1768	c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe
1768	c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe
2464	omsecor.exe
2464	omsecor.exe
688	omsecor.exe
688	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2464	1768	c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe	30
PID 1768 wrote to memory of 2464	1768	c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe	30
PID 1768 wrote to memory of 2464	1768	c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe	30
PID 1768 wrote to memory of 2464	1768	c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe	30
PID 2464 wrote to memory of 688	2464	omsecor.exe	33
PID 2464 wrote to memory of 688	2464	omsecor.exe	33
PID 2464 wrote to memory of 688	2464	omsecor.exe	33
PID 2464 wrote to memory of 688	2464	omsecor.exe	33
PID 688 wrote to memory of 1884	688	omsecor.exe	34
PID 688 wrote to memory of 1884	688	omsecor.exe	34
PID 688 wrote to memory of 1884	688	omsecor.exe	34
PID 688 wrote to memory of 1884	688	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe
"C:\Users\Admin\AppData\Local\Temp\c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
0f7b87df16a13c3d51b041d8d3f50821

SHA1
2bb1a47d6490d26d6412999d5248f1c73622d856

SHA256
b1b7ab280e48328dc92ed9495232033d7d9fd9eaef70b5c3e5e920e854ae5928

SHA512
d77bca55f08f254049ae2163b95c9f030abb3a28bc8b376262b0c84c13f4dca427ac62568a1fb8ae8616d2bd0e9e59fef907b5ae1901f6362d06a813088d9a51

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
4a03789697cf921f5999886dd7729bd9

SHA1
9d81cf4ce188e78b6623dbf0af1ed47b0bc63f68

SHA256
28eab6af32cc8bea59be3930bd71f06ce8120e4e502b55d5c60d2effc19a1a4a

SHA512
54dc47b2f594c65b63fc70b26fe43d58d92c5e70e04cef1c2f40a565b58248be5600e42595f01423abcb2dc04fc741967d46fa7a87bd383b873529c6106efb22

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
2be9be404367a81984269e8f4df0bbe5

SHA1
83279f3c4a12cce7b1a5171a2854d3c611a29f76

SHA256
ffda3753dffc08cee2ec5a04305c515a95989fb76a88d27d67574e7fb4dbf61b

SHA512
02d60aeada8f6f88473008e874272f44cd76c6377578ad0c6733e536f8e6135882e8124f617ae5bd975b29e9993581de9888fd47a759073884306416fa047100

Download Submit

Analysis

Sharing