neconyd | f09f5fbedc87c73c3a49e9f894c1bc35811d52077dc1d7b209a5e4c784b16e76

General

Target

51b904cfb017a458321232a72169a030N.exe
Size

248KB
MD5

51b904cfb017a458321232a72169a030
SHA1

29d837849655920da0663acf87f564084468e77a
SHA256

f09f5fbedc87c73c3a49e9f894c1bc35811d52077dc1d7b209a5e4c784b16e76
SHA512

7ab3c71d74ede056522826d9e6cbdb9e5a0d463d42487f6e0386c2f77bb30082938737b4ee8473e0abe4b880df691d8e39541056bd4770e5d3ed799beb1bab69
SSDEEP

1536:T4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:TIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1916	omsecor.exe
1256	omsecor.exe
2860	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3016	51b904cfb017a458321232a72169a030N.exe
3016	51b904cfb017a458321232a72169a030N.exe
1916	omsecor.exe
1916	omsecor.exe
1256	omsecor.exe
1256	omsecor.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3016-1-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000a000000012291-8.dat	upx
behavioral1/memory/1916-9-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1916-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-15.dat	upx
behavioral1/memory/1916-16-0x0000000002660000-0x000000000269E000-memory.dmp	upx
behavioral1/files/0x000a000000012291-27.dat	upx
behavioral1/memory/1256-26-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1916-23-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2860-35-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2860-37-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51b904cfb017a458321232a72169a030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1916	3016	51b904cfb017a458321232a72169a030N.exe	30
PID 3016 wrote to memory of 1916	3016	51b904cfb017a458321232a72169a030N.exe	30
PID 3016 wrote to memory of 1916	3016	51b904cfb017a458321232a72169a030N.exe	30
PID 3016 wrote to memory of 1916	3016	51b904cfb017a458321232a72169a030N.exe	30
PID 1916 wrote to memory of 1256	1916	omsecor.exe	33
PID 1916 wrote to memory of 1256	1916	omsecor.exe	33
PID 1916 wrote to memory of 1256	1916	omsecor.exe	33
PID 1916 wrote to memory of 1256	1916	omsecor.exe	33
PID 1256 wrote to memory of 2860	1256	omsecor.exe	34
PID 1256 wrote to memory of 2860	1256	omsecor.exe	34
PID 1256 wrote to memory of 2860	1256	omsecor.exe	34
PID 1256 wrote to memory of 2860	1256	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\51b904cfb017a458321232a72169a030N.exe
"C:\Users\Admin\AppData\Local\Temp\51b904cfb017a458321232a72169a030N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
b14d9b9348db6cd7b2ee0670b0fd3da9

SHA1
b713a8864fc3a5501d0a916e5e3285d7193b60bb

SHA256
8815b6d088274ef110a335e08a55df40bc1adef08a152219a18052d08181b714

SHA512
64b480b435576f1ec971c25c68c4509118b7e95d410731241f98711d9b90fe39888ba7e329ce42dc4156a9131f06d46860d7a8adc1e9419f606bdb54e16b7671

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
6d58e8765aa53f6c201e18d5305c4420

SHA1
89462a014e73da47898f11e2b6646c21529a551e

SHA256
690c07d0ef922d1b0652b5b896de29626d7941fb8c8d8a3f7d94ebc36c201c07

SHA512
dbd2023b1f269c2ab3d54d8818cacc7ab9ecba71b0dfa29f46dcf5b5807d5eea8f0f74cddff7eeaed88260c020eb07606fbed63fc0fac048edbda31b03d43fcf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
2f23604ac189dc9c4d2f78b227e595b2

SHA1
4fa068ee032ef6f5732e0fdfb26437e825c7eaed

SHA256
8cf68817837528496016c12764386ab78260226d188c95c1ff64f4b5e4596e21

SHA512
1cdabb90878964392f2cbf747d76f002f107a94883fc802e632889b0adccfc18e6e7249b3227200c7e11ce5489fd7b89bdd822952e01e8c684c4e17ce7b56a47

Download Submit
memory/1256-29-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1256-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-16-0x0000000002660000-0x000000000269E000-memory.dmp

Filesize
248KB

Download
memory/1916-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing