neconyd | 4cbeb8a3d053ee3e313e41fbfc3b2a41b2d1f7f4f914f4d511dc88d5d7fe65aa

General

Target

95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe
Size

248KB
MD5

95d6ed0b6d64b9b49ca22a8dfe6813a0
SHA1

8ab00dc5f5b3dc985d50a33366c67ec21cf5ceab
SHA256

4cbeb8a3d053ee3e313e41fbfc3b2a41b2d1f7f4f914f4d511dc88d5d7fe65aa
SHA512

f54fcfc32921fbfd8210bb1b4bfcfe2275ae72e555b0ba57b95de13d5947ee2bdc2451afaed131c1ebd09c7ab82fb953efdca3e40a39bef8be2bff8ac625139e
SSDEEP

1536:o4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:oIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
4332	omsecor.exe
2888	omsecor.exe
4536	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4948-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4948-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x0009000000023453-4.dat	upx
behavioral2/memory/4332-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4332-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000a0000000234c0-10.dat	upx
behavioral2/memory/2888-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4332-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x0009000000023453-16.dat	upx
behavioral2/memory/2888-17-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4536-19-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4536-20-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4332	4948	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe	84
PID 4948 wrote to memory of 4332	4948	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe	84
PID 4948 wrote to memory of 4332	4948	95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe	84
PID 4332 wrote to memory of 2888	4332	omsecor.exe	100
PID 4332 wrote to memory of 2888	4332	omsecor.exe	100
PID 4332 wrote to memory of 2888	4332	omsecor.exe	100
PID 2888 wrote to memory of 4536	2888	omsecor.exe	101
PID 2888 wrote to memory of 4536	2888	omsecor.exe	101
PID 2888 wrote to memory of 4536	2888	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe
"C:\Users\Admin\AppData\Local\Temp\95d6ed0b6d64b9b49ca22a8dfe6813a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
3e7dd276b4b41063e863bbdbd43523e4

SHA1
ec7e2fe24eb983247641b67fc078af797192461f

SHA256
f6ce094d38333c90b7c1c811a3c10796ed24d5c98fe96e95a8e9098c32de179a

SHA512
65d4a836bf7f3fb2279591019350fdae42b96c9352e7ce564df12929c1756ed95f38f27f9760d9bf1162afcaba6ec93eafc00dc56708fed27ff5037ad186f895

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
c5e915542b14b757dc0917a3f7ab147a

SHA1
c60d616e0881f50c3dfe19212c7369c3cdb697fe

SHA256
fbaeb551278d8b5f030e08cab2918cc0ba7c635785f6327a669a56b11e8083de

SHA512
86b14f50235ab30ae2b22c557b737312a9bca1c1bb70b72c48a89ba20b563bede1d5487f7227da2373940dd3d9c101db80505945788ba903bdf0185eb4248767

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
e0b609c061015025972bc602917de175

SHA1
1b34d41689d66e079dd8fd35b5c51197db325b3e

SHA256
829be2938bfab4191abad9b86a56722321697d43899da4b32bccbe98d9a56be2

SHA512
c16f0de6b421a22db6e7cd056e8e23d2de299f4fb66f61e9d1fd0339663d8547235303e8ca6ab85cd3b3e6c9a7ee40a14ed7dc5ef3abc7bbd19d624c6a469f4b

Download Submit
memory/2888-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4332-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4332-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4332-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing