neconyd | a19baf57d6755ee9b6f3ed66026afbac02b9fc25657b971e76b711a4d0fa8771

General

Target

da240003eb90a6409c44b1f83bf85710N.exe
Size

248KB
MD5

da240003eb90a6409c44b1f83bf85710
SHA1

70a054aac84a4253dc14a812337191b692afef67
SHA256

a19baf57d6755ee9b6f3ed66026afbac02b9fc25657b971e76b711a4d0fa8771
SHA512

1bfda83cb6f69c3cf3b9d3588b3557b34d4a65737865605fb90cbfedbdaa929698c7913a18dad4c289970207d1fa4f1e19ebe2efc009d16d16c2b13b20390e14
SSDEEP

1536:j4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:jIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
4348	omsecor.exe
376	omsecor.exe
3248	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1816-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000800000002345a-3.dat	upx
behavioral2/memory/4348-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/1816-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4348-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000a0000000233a7-10.dat	upx
behavioral2/memory/4348-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/376-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000800000002345a-16.dat	upx
behavioral2/memory/3248-18-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/376-17-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3248-20-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da240003eb90a6409c44b1f83bf85710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 4348	1816	da240003eb90a6409c44b1f83bf85710N.exe	84
PID 1816 wrote to memory of 4348	1816	da240003eb90a6409c44b1f83bf85710N.exe	84
PID 1816 wrote to memory of 4348	1816	da240003eb90a6409c44b1f83bf85710N.exe	84
PID 4348 wrote to memory of 376	4348	omsecor.exe	101
PID 4348 wrote to memory of 376	4348	omsecor.exe	101
PID 4348 wrote to memory of 376	4348	omsecor.exe	101
PID 376 wrote to memory of 3248	376	omsecor.exe	102
PID 376 wrote to memory of 3248	376	omsecor.exe	102
PID 376 wrote to memory of 3248	376	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\da240003eb90a6409c44b1f83bf85710N.exe
"C:\Users\Admin\AppData\Local\Temp\da240003eb90a6409c44b1f83bf85710N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
6595d23e67d49f521aa652fe12e8407a

SHA1
03710ccdd2ddb00e77c23dc058474c09f5cfcdbc

SHA256
940ebdb7e5bdfb09a35649d8a5fc0995f5a44e49e73cb1a9cdd445c4cbb1c37a

SHA512
234376efdc0e5877a6f8f21fbd716bacd36a4d6c324550bf818f02daa998cf683f3d6ba5624e4daca5f56684a4042aa54cc6e6f0554fe6eedd39a42d6b6259b9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
d2eef6db95144e6cbbc07cc19ed9c883

SHA1
4da8d18db2cd554b5cdfcc8538c374b62aae12d0

SHA256
9bf79757956ffb62d966bc3282619b66a9df36a9ee18c67ebaa836be4df61e6c

SHA512
724ec1b185139be3fc63ce7760ed83d2effb7db7b96f1e290ca1e0d1dbd075fa27b7824d5bf03165a275ca45dfc5b47e21c820a0215115f0d6f949d80110d925

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
4c6a61d0ff0ea36c21c3575f4bb65216

SHA1
4cdeedc5c833a14def028ec254502dd1372998a2

SHA256
651bfeecdc81ca69bb90cd670f03c46cdf7b5cc89895075cc266328f5dc8a961

SHA512
f0465fee1c79a0f2d049634f6236cb52314e26712037e3635f2ae7e6aaabe4c3ed78ad1bef18b47b5b0b1028921d09ee6eec9e0cd1b5c2143d6fe03e4a9a65f4

Download Submit
memory/376-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/376-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3248-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3248-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing