neconyd | a19baf57d6755ee9b6f3ed66026afbac02b9fc25657b971e76b711a4d0fa8771

General

Target

da240003eb90a6409c44b1f83bf85710N.exe
Size

248KB
MD5

da240003eb90a6409c44b1f83bf85710
SHA1

70a054aac84a4253dc14a812337191b692afef67
SHA256

a19baf57d6755ee9b6f3ed66026afbac02b9fc25657b971e76b711a4d0fa8771
SHA512

1bfda83cb6f69c3cf3b9d3588b3557b34d4a65737865605fb90cbfedbdaa929698c7913a18dad4c289970207d1fa4f1e19ebe2efc009d16d16c2b13b20390e14
SSDEEP

1536:j4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:jIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1684	omsecor.exe
2516	omsecor.exe
1976	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2024	da240003eb90a6409c44b1f83bf85710N.exe
2024	da240003eb90a6409c44b1f83bf85710N.exe
1684	omsecor.exe
1684	omsecor.exe
2516	omsecor.exe
2516	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000700000001211b-2.dat	upx
behavioral1/memory/2024-4-0x00000000001B0000-0x00000000001EE000-memory.dmp	upx
behavioral1/memory/2024-9-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1684-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1684-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0032000000015dab-17.dat	upx
behavioral1/memory/2516-26-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1684-25-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000700000001211b-29.dat	upx
behavioral1/memory/2516-36-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1976-38-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1976-40-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da240003eb90a6409c44b1f83bf85710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1684	2024	da240003eb90a6409c44b1f83bf85710N.exe	30
PID 2024 wrote to memory of 1684	2024	da240003eb90a6409c44b1f83bf85710N.exe	30
PID 2024 wrote to memory of 1684	2024	da240003eb90a6409c44b1f83bf85710N.exe	30
PID 2024 wrote to memory of 1684	2024	da240003eb90a6409c44b1f83bf85710N.exe	30
PID 1684 wrote to memory of 2516	1684	omsecor.exe	32
PID 1684 wrote to memory of 2516	1684	omsecor.exe	32
PID 1684 wrote to memory of 2516	1684	omsecor.exe	32
PID 1684 wrote to memory of 2516	1684	omsecor.exe	32
PID 2516 wrote to memory of 1976	2516	omsecor.exe	33
PID 2516 wrote to memory of 1976	2516	omsecor.exe	33
PID 2516 wrote to memory of 1976	2516	omsecor.exe	33
PID 2516 wrote to memory of 1976	2516	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\da240003eb90a6409c44b1f83bf85710N.exe
"C:\Users\Admin\AppData\Local\Temp\da240003eb90a6409c44b1f83bf85710N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
d2eef6db95144e6cbbc07cc19ed9c883

SHA1
4da8d18db2cd554b5cdfcc8538c374b62aae12d0

SHA256
9bf79757956ffb62d966bc3282619b66a9df36a9ee18c67ebaa836be4df61e6c

SHA512
724ec1b185139be3fc63ce7760ed83d2effb7db7b96f1e290ca1e0d1dbd075fa27b7824d5bf03165a275ca45dfc5b47e21c820a0215115f0d6f949d80110d925

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
34f11b0eb702a1b4bb4e625562d9d254

SHA1
edacefed01e4933e3d5d0475c088d9e99a21bda7

SHA256
f7c1e54ecbd9a5f5159d1b07cf0112f9e0113e847fc8af398ff140f242714b71

SHA512
e1daa6173e312157997d1d364b5f1cb421bb576726b0c345e452bbcd358c5f36e11c9d9c949dca03442de8db990d4338f0049d51a3fd2296f5f47d831657b104

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
4cbb51539cace295bf1482a31033c573

SHA1
7b60cfa2f26eaec62b34752e3badbe05491fe94c

SHA256
80a8c92cc90f4829388623acfcb33ac679da2b6f387bb3c514d22e8e5d84db61

SHA512
faa7081d3db10ff9a0c0d8cb2a19e836caab15313174082652c18bcb50c9f308299b4a740f54ce8373610e59b7a1619f9dee70c2956a6eccf2a9e518ec895b94

Download Submit
memory/1684-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-23-0x0000000002160000-0x000000000219E000-memory.dmp

Filesize
248KB

Download
memory/1976-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-4-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2516-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-31-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2516-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing