neconyd | eeb6aa7ce9da18a3641218a38ad028c078d5f5d3ed9f329734678c14ce7aa6f4

General

Target

d8cfe74eaa707ae96ae588c33d610e60N.exe
Size

35KB
MD5

d8cfe74eaa707ae96ae588c33d610e60
SHA1

2db800a053fa7645eee7f2d36a845ec2f93d2e8b
SHA256

eeb6aa7ce9da18a3641218a38ad028c078d5f5d3ed9f329734678c14ce7aa6f4
SHA512

77036461e8d81a32eab664b88a9bb5a1397341b3746dff9177e9769083a2611208e9eac564fc5e21d73d7792bde6a254d1517c52fb8e19f936a1044efe6f1549
SSDEEP

768:46vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:/8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2548	omsecor.exe
1104	omsecor.exe
2480	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2512	d8cfe74eaa707ae96ae588c33d610e60N.exe
2512	d8cfe74eaa707ae96ae588c33d610e60N.exe
2548	omsecor.exe
2548	omsecor.exe
1104	omsecor.exe
1104	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2512-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000a00000001202c-10.dat	upx
behavioral1/memory/2548-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2512-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2548-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2548-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2548-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2548-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-24.dat	upx
behavioral1/memory/1104-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2548-31-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000a00000001202c-36.dat	upx
behavioral1/memory/1104-45-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2480-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2480-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8cfe74eaa707ae96ae588c33d610e60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2548	2512	d8cfe74eaa707ae96ae588c33d610e60N.exe	30
PID 2512 wrote to memory of 2548	2512	d8cfe74eaa707ae96ae588c33d610e60N.exe	30
PID 2512 wrote to memory of 2548	2512	d8cfe74eaa707ae96ae588c33d610e60N.exe	30
PID 2512 wrote to memory of 2548	2512	d8cfe74eaa707ae96ae588c33d610e60N.exe	30
PID 2548 wrote to memory of 1104	2548	omsecor.exe	33
PID 2548 wrote to memory of 1104	2548	omsecor.exe	33
PID 2548 wrote to memory of 1104	2548	omsecor.exe	33
PID 2548 wrote to memory of 1104	2548	omsecor.exe	33
PID 1104 wrote to memory of 2480	1104	omsecor.exe	34
PID 1104 wrote to memory of 2480	1104	omsecor.exe	34
PID 1104 wrote to memory of 2480	1104	omsecor.exe	34
PID 1104 wrote to memory of 2480	1104	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d8cfe74eaa707ae96ae588c33d610e60N.exe
"C:\Users\Admin\AppData\Local\Temp\d8cfe74eaa707ae96ae588c33d610e60N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
dcf297cff02f505a43ad8f02b5ff2f5a

SHA1
29316af7e1155dbe9808c1ff94c1c57bb4621772

SHA256
c7ee1454de37de24c58e00303b8757ca7c66884eaccc420bb112091fcb924e66

SHA512
f528a89538f2720a017e4b0c68f6f1133dd03c9b3ce0dae6e76999f7f96417a3e60bc6e3d9c82dc409de92bea7e9fb2bd1dff3c74cf72761ff43d06a3ea7d8f6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
b8ccaf133c11a606c05d848a1a255ba9

SHA1
046c634da45b9306ef69317d7bf9eb2216abe0e3

SHA256
3c7896b301dbe3d66412927a012fdca2877f73b75233ed80798a17c709476e90

SHA512
aa31cedd62e8bbf401138529dc389ceb418f5aa50c039543315204d4e363e196fd5d6281abfcaf9d787ff1b9dd025281e7751c3c05e401cdb93bb0e922fc6217

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
ab5476bac141240a500bbc23918e0146

SHA1
7cd727a2f8603f89803be0ca614a3113766b520a

SHA256
ad0f5e41b00871ec569450cc872e5398a687f6f169d5a9c973f5aca04f92d30a

SHA512
0987953f584aebb5cc0304fd96208a44d9e1d9c1dc412e37ef349aa3e40f1f58420378bf648d7b604f5a8ee026201761fabf6321464db83682e45a26c0e74c6f

Download Submit
memory/1104-43-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/1104-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1104-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2480-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2480-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2512-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2512-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2548-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2548-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2548-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2548-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2548-31-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2548-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing