neconyd | fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a

General

Target

fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe
Size

248KB
MD5

7fd9fc278e27733fab339fccbff472ce
SHA1

b9593b25ccb2f2ab19f404503291d41cae3b88d8
SHA256

fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a
SHA512

b33721bf8c38706ec525541b042ab50435d97bf66f143439116d799bb4d382c3a9f030a1c3a702f1af90625708b414db543010a44c9dbf0c445bdb26f1d24118
SSDEEP

1536:24d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:2IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2400	omsecor.exe
2160	omsecor.exe
2840	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1952	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe
1952	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe
2400	omsecor.exe
2400	omsecor.exe
2160	omsecor.exe
2160	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000b000000012266-9.dat	upx
behavioral1/memory/2400-10-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1952-8-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2400-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0009000000015dff-16.dat	upx
behavioral1/memory/2400-17-0x0000000000290000-0x00000000002CE000-memory.dmp	upx
behavioral1/memory/2400-23-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000b000000012266-28.dat	upx
behavioral1/memory/2160-29-0x00000000005D0000-0x000000000060E000-memory.dmp	upx
behavioral1/memory/2840-37-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2160-36-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2840-40-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2400	1952	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe	30
PID 1952 wrote to memory of 2400	1952	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe	30
PID 1952 wrote to memory of 2400	1952	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe	30
PID 1952 wrote to memory of 2400	1952	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe	30
PID 2400 wrote to memory of 2160	2400	omsecor.exe	32
PID 2400 wrote to memory of 2160	2400	omsecor.exe	32
PID 2400 wrote to memory of 2160	2400	omsecor.exe	32
PID 2400 wrote to memory of 2160	2400	omsecor.exe	32
PID 2160 wrote to memory of 2840	2160	omsecor.exe	33
PID 2160 wrote to memory of 2840	2160	omsecor.exe	33
PID 2160 wrote to memory of 2840	2160	omsecor.exe	33
PID 2160 wrote to memory of 2840	2160	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe
"C:\Users\Admin\AppData\Local\Temp\fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
6095985fbd93f86755464726d753dc3c

SHA1
574c0ee8969fd23397fd611fecd360c9a7add065

SHA256
2d4140e76ed1d9602f23227659854bb96e7262b3ddf58115f982117a0e75b795

SHA512
fe6dd6d84dafe71dcf91b05fe1608b9c3cae225da446297266ff0e1ae77e42fcfab99216053f59872573e0a5052c5c72a48b2914a23a01698d1273e9d196593c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
4a3f8b5b7b0cf945199feb05fdcb79c3

SHA1
8cd875a9b75fcdcc929b9d9e9992ce2009d33c40

SHA256
8440e052aa433bdb77020de65af9d165d7d6d4736d8ef150a3a4297eeeded6da

SHA512
d6110017d2391e4e9a57b0d8af95a7cac471b1bfec6d8c48b29fe7592ed623b83ded9b2a475669a2035ee07215e9f18e92bc63d452d5d5ae20c334fe2b0ff185

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
a189b857c91ab0f66031cb75e5a2ebac

SHA1
6bd7ab81e9f8ca9170e2d5fc5c907579435c2029

SHA256
0d1295d5ea84c31984ee1b935bc02e61068675401276f5c49c113ad27a797014

SHA512
ba33dc2d3ebc531cc649f34e690f8933bf0b629a47366c4b7bea7272f412d98e50cb1a44241e3bb9dc70c6d6f001f5eba242d018be8a6ad0788a2c0c526ed7f7

Download Submit
memory/1952-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2160-29-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2160-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-17-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2400-25-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2400-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-39-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2840-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2840-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing