neconyd | 4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12

General

Target

4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe
Size

248KB
MD5

91cee97fec67a35a299c0b0948e29b3e
SHA1

ea8ea0882d9cca04a603495e0a68753d7482c6e8
SHA256

4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12
SHA512

c58d9a1fa57ab22dc35f267c030e38ff6f4b7687e4ddb77eb2a9b2e52d31864ebbfd981eab240c4b544ad593c269ff534470efaa6cad2fb58c82c2ecf1fc21f6
SSDEEP

1536:84d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:8IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1064	omsecor.exe
464	omsecor.exe
1944	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2308	4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe
2308	4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe
1064	omsecor.exe
1064	omsecor.exe
464	omsecor.exe
464	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x00090000000120f8-2.dat	upx
behavioral1/memory/2308-9-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/memory/1064-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2308-8-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1064-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-17.dat	upx
behavioral1/memory/1064-27-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/464-26-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x00090000000120f8-38.dat	upx
behavioral1/memory/464-32-0x0000000001B60000-0x0000000001B9E000-memory.dmp	upx
behavioral1/memory/464-39-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1944-40-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1064	2308	4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe	30
PID 2308 wrote to memory of 1064	2308	4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe	30
PID 2308 wrote to memory of 1064	2308	4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe	30
PID 2308 wrote to memory of 1064	2308	4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe	30
PID 1064 wrote to memory of 464	1064	omsecor.exe	33
PID 1064 wrote to memory of 464	1064	omsecor.exe	33
PID 1064 wrote to memory of 464	1064	omsecor.exe	33
PID 1064 wrote to memory of 464	1064	omsecor.exe	33
PID 464 wrote to memory of 1944	464	omsecor.exe	34
PID 464 wrote to memory of 1944	464	omsecor.exe	34
PID 464 wrote to memory of 1944	464	omsecor.exe	34
PID 464 wrote to memory of 1944	464	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe
"C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
dfde9195d33a3ede6f3b575bf70a9328

SHA1
fad0571404eb6085cb46bc865bc70e02f91193ac

SHA256
67d6e4bf83e9ea6ac9fbd3d5295729841370d7821c0ba4fe6ce21739ee6a183b

SHA512
00a58495349c82767a9b6096c25d35c8c793aa6f1bc7079cd49e62aa6e05755bb52c15b6c6be57d921a2308f6806ac45df4b0e466b16749b2fdcc48e4b3688af

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
5246311195eaa78de8b60ffec74d4099

SHA1
535ff70d664c6da43e8969c2dc8fbeecebb01a8a

SHA256
a5fdef73816f85147e001ef83098a90ab772d19b8039ce5ad4db7222b059937d

SHA512
21250c466d355990352475c2ede703c8abec65b5bd4e30792307c503b13bb65a5ea61d1d1cd762f9f8582940af4884f0db89a436a97a3e1ad52bfee336372d70

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
5305310ee399e78a545eb60f428c3dd6

SHA1
510e1151776c24b657739f6eb05d5b90831bcb09

SHA256
0ccb53ae680ce8193b0047b0be0af118cc5c93f69dd857453d76b1d041c852c7

SHA512
c20eb32f5463c73024a3f2d3ec9013f62e3019411cbcb6fe2706b81297224b74bf26450bb6064fa2ccba90415f5198bcd67f48e6f3e2ca93914f12e627e74ca0

Download Submit
memory/464-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/464-32-0x0000000001B60000-0x0000000001B9E000-memory.dmp

Filesize
248KB

Download
memory/464-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-24-0x0000000001F50000-0x0000000001F8E000-memory.dmp

Filesize
248KB

Download
memory/1064-19-0x0000000001F50000-0x0000000001F8E000-memory.dmp

Filesize
248KB

Download
memory/1944-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-9-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing