neconyd | 2f75cf835f93584da736b5ea4172f7c32118bbc3eca94f32822991ca1d077dd3

General

Target

f6e486460014af795fb7c1fa9d3e4810N.exe
Size

248KB
MD5

f6e486460014af795fb7c1fa9d3e4810
SHA1

17f051b6f9f164ec4591e254e730ba7b9bf21982
SHA256

2f75cf835f93584da736b5ea4172f7c32118bbc3eca94f32822991ca1d077dd3
SHA512

07c6354e9ea14768ce96283caa9a0d7f65421dc51e1b59995a4507ff52208657c31a2d9a108f2b17cb8c5ba69d9c55ca34053e749c305e1f97c0c4e7f15f2e30
SSDEEP

1536:Y4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:YIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
916	omsecor.exe
2092	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
2548	f6e486460014af795fb7c1fa9d3e4810N.exe
2548	f6e486460014af795fb7c1fa9d3e4810N.exe
916	omsecor.exe
916	omsecor.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000c000000015635-2.dat	upx
behavioral1/memory/2548-4-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/memory/2548-9-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/916-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/916-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x002c000000018f84-17.dat	upx
behavioral1/memory/916-27-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2092-28-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2092-29-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6e486460014af795fb7c1fa9d3e4810N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 916	2548	f6e486460014af795fb7c1fa9d3e4810N.exe	29
PID 2548 wrote to memory of 916	2548	f6e486460014af795fb7c1fa9d3e4810N.exe	29
PID 2548 wrote to memory of 916	2548	f6e486460014af795fb7c1fa9d3e4810N.exe	29
PID 2548 wrote to memory of 916	2548	f6e486460014af795fb7c1fa9d3e4810N.exe	29
PID 916 wrote to memory of 2092	916	omsecor.exe	31
PID 916 wrote to memory of 2092	916	omsecor.exe	31
PID 916 wrote to memory of 2092	916	omsecor.exe	31
PID 916 wrote to memory of 2092	916	omsecor.exe	31

C:\Users\Admin\AppData\Local\Temp\f6e486460014af795fb7c1fa9d3e4810N.exe
"C:\Users\Admin\AppData\Local\Temp\f6e486460014af795fb7c1fa9d3e4810N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
f5d78509d65a830b899cf5b0d33962f5

SHA1
b3536e27c8da0f6f3d5eb995aeaf4a79ccd778aa

SHA256
0dc927c5d0f5dad8e111c0b561c32fcdc53eb4b7cc7113dc22ce9479843039a3

SHA512
b28aabc540ea58b9b786944610ad93b2acecfe353d093c51b3dde4161ed17ddab9fd9073ff740ca44ce1b272ba949e75766806b5a959e221274445a14822af5f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
a5d50b9858cfcb9524bb61cd99270e18

SHA1
10fcf7d9f9ef45212d72d09e4130652de7881bf3

SHA256
b91ba4106d7e8e3022ea858bf0f3c7798c92900f2d3ffdf754a47d60ff48d139

SHA512
962b971561dc105eea7bea1b3d22a90f7e789c9dac8619cae1c1f31bcc924b225794f17786d6f1450d8d11c9c60a9d4ebc11857b47fd512ce503f2beb10696f8

Download Submit
memory/916-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/916-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/916-23-0x00000000004C0000-0x00000000004FE000-memory.dmp

Filesize
248KB

Download
memory/916-24-0x00000000004C0000-0x00000000004FE000-memory.dmp

Filesize
248KB

Download
memory/916-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-4-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2548-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing