neconyd | 98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65

General

Target

98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65.exe
Size

248KB
MD5

e6335d104647b522190b42c68519dc49
SHA1

cab9c2a326e238f95f71a44d60169840ca2fe20f
SHA256

98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65
SHA512

dba228dea84e648ddb5fd29f37308939ce2d59dd484887f467ab5b2b5acbe6303a76d3c0758a7e9d9bdc40580715dcdef31ff3bdc7551a71586d1bbfa10430a6
SSDEEP

1536:Q4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:QIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1496	omsecor.exe
4436	omsecor.exe
756	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4448-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000800000002343c-4.dat	upx
behavioral2/memory/4448-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/1496-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/1496-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000400000001e73b-10.dat	upx
behavioral2/memory/1496-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4436-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000800000002343c-16.dat	upx
behavioral2/memory/4436-17-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/756-19-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/756-20-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1496	4448	98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65.exe	84
PID 4448 wrote to memory of 1496	4448	98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65.exe	84
PID 4448 wrote to memory of 1496	4448	98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65.exe	84
PID 1496 wrote to memory of 4436	1496	omsecor.exe	100
PID 1496 wrote to memory of 4436	1496	omsecor.exe	100
PID 1496 wrote to memory of 4436	1496	omsecor.exe	100
PID 4436 wrote to memory of 756	4436	omsecor.exe	101
PID 4436 wrote to memory of 756	4436	omsecor.exe	101
PID 4436 wrote to memory of 756	4436	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65.exe
"C:\Users\Admin\AppData\Local\Temp\98bda23898b8e0477eaf56f8eb896f8db439689edc7ad6a4b69d0149aaf5ad65.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
300136f2e6ca7315cdb03008e57bc6d3

SHA1
3780ca8ec0935ad6807362720f29578ebdcd8e41

SHA256
916d571060aac62a031e3fca64343e49634e99489cf92ef6a56e775226950f1f

SHA512
74ce200375d03cf430ff76b4ffefcc6ec035e87f03d2d72cba2d8da1a26afcf1180964a452beed941f20e8aaee98d997200d06d2eeb8f6dfc9388ae903a77ee4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
afea7502814707dba6e687d067660ca9

SHA1
e77736e6a1f24ed4902e45f46962b3d1d1c747f2

SHA256
af8f314358cb4065d591a22f9c7af9dbcac275522ff7157ff963aec362763f1c

SHA512
d53ba66f229f5c89d0821642e19f2dbebcbe6ebf99264b1fc9c841e39ee844e5824a9205e6f371cb6c67c3ed11acb025061fe330f5dd7c680dc81cc9bab1cc54

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
65a86f21bb8d47ebbb650629259bc186

SHA1
9f21a567808412dd338323a4e224980f49e42629

SHA256
cfc8502246ba8c8d3aa41e3dcf773f8c484ae7cf2c1674601476fd4424216ed4

SHA512
2e433d474da2ca0dc67d9783f84fdd41c89e80cea2a6108210dc898d1032f9b78cc2f686dea60a296bd48adba154a7ad8243d60235ff5d72705cc036979f04a5

Download Submit
memory/756-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing