neconyd | c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8

General

Target

c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe
Size

72KB
MD5

eba85427128a335efa163428b152ce0e
SHA1

99b39b9a5a19e77d0cd25892945e1460bdb31640
SHA256

c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8
SHA512

15297bb69209bbc0861e5f65f60e9ed9901b17d36b6d8ba18bf11371b48ba652091bebdd8c5a3d008a5bee2feac2620aa989d0d13cd6dadfd685c293ae31eb52
SSDEEP

1536:Dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211P:jdseIOMEZEyFjEOFqTiQm5l/5211P

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1696	omsecor.exe
3016	omsecor.exe
1920	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2452	c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe
2452	c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe
1696	omsecor.exe
1696	omsecor.exe
3016	omsecor.exe
3016	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1696	2452	c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe	31
PID 2452 wrote to memory of 1696	2452	c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe	31
PID 2452 wrote to memory of 1696	2452	c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe	31
PID 2452 wrote to memory of 1696	2452	c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe	31
PID 1696 wrote to memory of 3016	1696	omsecor.exe	33
PID 1696 wrote to memory of 3016	1696	omsecor.exe	33
PID 1696 wrote to memory of 3016	1696	omsecor.exe	33
PID 1696 wrote to memory of 3016	1696	omsecor.exe	33
PID 3016 wrote to memory of 1920	3016	omsecor.exe	34
PID 3016 wrote to memory of 1920	3016	omsecor.exe	34
PID 3016 wrote to memory of 1920	3016	omsecor.exe	34
PID 3016 wrote to memory of 1920	3016	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe
"C:\Users\Admin\AppData\Local\Temp\c2037eed490a4b762b72347155a1e99451e64890ac47e1bdf8f3da2d9b6ca1f8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
605909559538d9daf2623114bc7d1b6b

SHA1
cc07b14f8452c2ba4049ace133eaa586273d429e

SHA256
12104581479d18748dfb82ad14f748ffa3b4b45f4052a2196af2b3c7325899a8

SHA512
067a733b01b96443778eb6cf4b21720f33364ba3b628ed760cf280d1cacebaa38c49b5dc875f1718c6ffc4cc42786138bf519990bd45d35e42e2e5fee4a246da

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
f7f8a902db554e383256a6252175b9a5

SHA1
024aded1d66387d4a1875e986438aac3dd683d29

SHA256
116bd8e9d5d5e566d04d22220076b9bae45a3c47952e1469397f54dd6ec7a5fc

SHA512
a548ca6fb6036fa4be58dd5f00c18a59392f69b009be440ccc24d26b18fd5941ec0b62d37c33909e6235ace6f4607eb638f68ed622493731a0f45f8b3b541dd9

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
39f860f2eeff93c53e1f87efc5952828

SHA1
29f865847377f4d8e061b5cc7a92bc95140636eb

SHA256
58eed81f0dad94648b8ff6300a4aa164d95fb4304409f18435aa05756bb327bf

SHA512
fe21489c9ebc5ca7ddccb044370bc5aa25df9acfbf16aa41924e4793263e520f5d80980fec4bcf05a3efaa4fdb0bf24dc914e66e883b8c72109aaef89ab79a2b

Download Submit

Analysis

Sharing