neconyd | 4cbeb8a3d053ee3e313e41fbfc3b2a41b2d1f7f4f914f4d511dc88d5d7fe65aa

General

Target

95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe
Size

248KB
MD5

95d6ed0b6d64b9b49ca22a8dfe6813a0
SHA1

8ab00dc5f5b3dc985d50a33366c67ec21cf5ceab
SHA256

4cbeb8a3d053ee3e313e41fbfc3b2a41b2d1f7f4f914f4d511dc88d5d7fe65aa
SHA512

f54fcfc32921fbfd8210bb1b4bfcfe2275ae72e555b0ba57b95de13d5947ee2bdc2451afaed131c1ebd09c7ab82fb953efdca3e40a39bef8be2bff8ac625139e
SSDEEP

1536:o4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:oIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2508	omsecor.exe
2100	omsecor.exe
536	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2352	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe
2352	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe
2508	omsecor.exe
2508	omsecor.exe
2100	omsecor.exe
2100	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000f000000013423-2.dat	upx
behavioral1/memory/2352-4-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/memory/2508-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2352-9-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2508-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-17.dat	upx
behavioral1/memory/2100-29-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2508-26-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000f000000013423-30.dat	upx
behavioral1/memory/536-38-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/536-40-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2508	2352	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe	31
PID 2352 wrote to memory of 2508	2352	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe	31
PID 2352 wrote to memory of 2508	2352	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe	31
PID 2352 wrote to memory of 2508	2352	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe	31
PID 2508 wrote to memory of 2100	2508	omsecor.exe	33
PID 2508 wrote to memory of 2100	2508	omsecor.exe	33
PID 2508 wrote to memory of 2100	2508	omsecor.exe	33
PID 2508 wrote to memory of 2100	2508	omsecor.exe	33
PID 2100 wrote to memory of 536	2100	omsecor.exe	34
PID 2100 wrote to memory of 536	2100	omsecor.exe	34
PID 2100 wrote to memory of 536	2100	omsecor.exe	34
PID 2100 wrote to memory of 536	2100	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe
"C:\Users\Admin\AppData\Local\Temp\95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
c5e915542b14b757dc0917a3f7ab147a

SHA1
c60d616e0881f50c3dfe19212c7369c3cdb697fe

SHA256
fbaeb551278d8b5f030e08cab2918cc0ba7c635785f6327a669a56b11e8083de

SHA512
86b14f50235ab30ae2b22c557b737312a9bca1c1bb70b72c48a89ba20b563bede1d5487f7227da2373940dd3d9c101db80505945788ba903bdf0185eb4248767

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
2d1e7f5d210ed8d3269686332c457c07

SHA1
5daca55a99d9a30caa47b15d29584bbf19aff94b

SHA256
3fe66c4f267e28affc3248b48abd749b0c0277fa0b75a33e90f8ac28b90fd824

SHA512
87a3362b04e23e43c957be48b70249a5b3780c637dc3094b68710e21176aae728002f570de964155db7dbec468ce0aba60e24e6a3e4d19d4cfb4deab61f9875a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
bea540a78a54fb80c5816c2c1b9c8000

SHA1
a0805314ee30b8787e18b5d67766c48df1af58ce

SHA256
1ec8e4c96fb8834d90ae154595a551e3c15141fc3a3b3498a331baf61e709cc1

SHA512
75d963a90733f344a147a59d4ec79bbb22d9128f692b2e707faf47635f51d5b74e512d7e85bb94641d88902e8e77d369d33d08f290ce7e305ef02cfa9975a2aa

Download Submit
memory/536-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-32-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2100-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-4-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2352-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-19-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2508-24-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2508-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing