neconyd | 23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216

General

Target

23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe
Size

248KB
MD5

38c9e48056133bb582ecdfe0def74983
SHA1

f2b20332fd87ffc1df014293722a1f03f08150e2
SHA256

23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216
SHA512

d5d193fbb321dc49d19dade8a6975d9c447329d0e99e26c151f86fbc4c5d39d0e6777aa22b82fad522d913d489f841af35c27daab6818276ba354210700ac8a4
SSDEEP

1536:04d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:0IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2696	omsecor.exe
468	omsecor.exe
1316	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2372	23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe
2372	23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe
2696	omsecor.exe
2696	omsecor.exe
468	omsecor.exe
468	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0008000000012118-2.dat	upx
behavioral1/memory/2696-10-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2372-8-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2696-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x003500000001568f-16.dat	upx
behavioral1/memory/2696-17-0x0000000000320000-0x000000000035E000-memory.dmp	upx
behavioral1/memory/2696-23-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/468-30-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/files/0x0008000000012118-28.dat	upx
behavioral1/memory/1316-38-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/468-36-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1316-39-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2696	2372	23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe	31
PID 2372 wrote to memory of 2696	2372	23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe	31
PID 2372 wrote to memory of 2696	2372	23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe	31
PID 2372 wrote to memory of 2696	2372	23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe	31
PID 2696 wrote to memory of 468	2696	omsecor.exe	33
PID 2696 wrote to memory of 468	2696	omsecor.exe	33
PID 2696 wrote to memory of 468	2696	omsecor.exe	33
PID 2696 wrote to memory of 468	2696	omsecor.exe	33
PID 468 wrote to memory of 1316	468	omsecor.exe	34
PID 468 wrote to memory of 1316	468	omsecor.exe	34
PID 468 wrote to memory of 1316	468	omsecor.exe	34
PID 468 wrote to memory of 1316	468	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe
"C:\Users\Admin\AppData\Local\Temp\23019e94a4949252103b0c4ceb8edb9abcd3e0f4b7fd291c35f52ff517493216.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
87931e9d2d70d7fa2b1a33ecc8a4d256

SHA1
ca6ec044d18f5b2e9d3ff0de49da7845593eca62

SHA256
8c19d732ba2bf413326d9263f50ed35516f5424c2a208c7a3f90285a1ee26dab

SHA512
130f48738f2fcc2704f92fbe5b2c575a09b59e823e779742563fd7fb53d3d78903bb7844e73fc61367fba51b927a390baa4693b06ff2066d99040f60f7a4aa84

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
6f7b55bee8d426c2b75ac109d0bbdb0d

SHA1
ce608d39bd1bd8a61c4798fad78af8088a1df86e

SHA256
5009b1c59fe4444de6635c4633417e07f87877eec2f776640faa056171eed7ce

SHA512
9c72bf4a220d60694592269a3acbc6cbc8d2c4f651de0cef45b6b8e0f70fda011ee91f5b829ba371dd905b2d23d1199a2a19bc9361b5a7b7d390efcdae42b02f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
c550dc59903be0ae3910a3e771461018

SHA1
64f2ca6f82dc0547445dee6394d0c6b9e722db71

SHA256
5f3c62d422babf7759c4c7aa3f4b1fbbf16da6c2ae08e9fc6a0b5a126e92851d

SHA512
6f6aed330352dc55f95f2eed054f334be34dc36cffa8841aa87cc4b148c279ff9ddd3028378a4163f6385b0f64ea5a07dc3b8bcae0e47fe63dc86550251bc1fb

Download Submit
memory/468-30-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/468-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-25-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2696-17-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2696-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing