neconyd | fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe
Size

248KB
MD5

7fd9fc278e27733fab339fccbff472ce
SHA1

b9593b25ccb2f2ab19f404503291d41cae3b88d8
SHA256

fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a
SHA512

b33721bf8c38706ec525541b042ab50435d97bf66f143439116d799bb4d382c3a9f030a1c3a702f1af90625708b414db543010a44c9dbf0c445bdb26f1d24118
SSDEEP

1536:24d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:2IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
3676	omsecor.exe
4624	omsecor.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2120-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000800000002345a-3.dat	upx
behavioral2/memory/3676-4-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/2120-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3676-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000c000000023480-10.dat	upx
behavioral2/memory/4624-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3676-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4624-14-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 3676	2120	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe	86
PID 2120 wrote to memory of 3676	2120	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe	86
PID 2120 wrote to memory of 3676	2120	fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe	86
PID 3676 wrote to memory of 4624	3676	omsecor.exe	109
PID 3676 wrote to memory of 4624	3676	omsecor.exe	109
PID 3676 wrote to memory of 4624	3676	omsecor.exe	109

C:\Users\Admin\AppData\Local\Temp\fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe
"C:\Users\Admin\AppData\Local\Temp\fec9dca2fec0aa77d22161c3f0aa6890e4d53c7f3ebebd13893c63b85e58f34a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
6095985fbd93f86755464726d753dc3c

SHA1
574c0ee8969fd23397fd611fecd360c9a7add065

SHA256
2d4140e76ed1d9602f23227659854bb96e7262b3ddf58115f982117a0e75b795

SHA512
fe6dd6d84dafe71dcf91b05fe1608b9c3cae225da446297266ff0e1ae77e42fcfab99216053f59872573e0a5052c5c72a48b2914a23a01698d1273e9d196593c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
f2247708003b8898d12a2d38a1b807ae

SHA1
2511e2ad773951e78ce7e73645d65567fb9ea965

SHA256
c26fb4b1a4bb5bd43580417f55e4d39f43a5a45d906b2fb6114d4c28c76a81d2

SHA512
ae06ad871ad87316c03f974f3a7ca85b90741f3be2433365f2df48e81abf6430f24624dbb94b6e898d23729628f160b72a02b4dd0ead98c460248e36ce034c53

Download Submit
memory/2120-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4624-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4624-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download