neconyd | 28ed2088ac0c9d741524a7d557f8c97d359ee2013902c04af40c38eab002788e

General

Target

d0490e520e69d412290a6ca948852d60N.exe
Size

35KB
MD5

d0490e520e69d412290a6ca948852d60
SHA1

0a710645858faa677d767132698def97ab1ff56a
SHA256

28ed2088ac0c9d741524a7d557f8c97d359ee2013902c04af40c38eab002788e
SHA512

4050ad3e35b508b97b8763d7d7c340ef89e073bd73b8fead0fe865ae01067138a0736a880cb179265122201ae28e7d0260191ec78a690f300a280ebce8d4885f
SSDEEP

768:h6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:s8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
3948	omsecor.exe
1616	omsecor.exe
5060	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000a000000023473-3.dat	upx
behavioral2/memory/4956-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3948-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3948-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3948-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3948-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3948-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1616-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0010000000023411-18.dat	upx
behavioral2/memory/3948-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000a000000023473-25.dat	upx
behavioral2/memory/5060-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1616-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5060-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0490e520e69d412290a6ca948852d60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3948	4956	d0490e520e69d412290a6ca948852d60N.exe	85
PID 4956 wrote to memory of 3948	4956	d0490e520e69d412290a6ca948852d60N.exe	85
PID 4956 wrote to memory of 3948	4956	d0490e520e69d412290a6ca948852d60N.exe	85
PID 3948 wrote to memory of 1616	3948	omsecor.exe	100
PID 3948 wrote to memory of 1616	3948	omsecor.exe	100
PID 3948 wrote to memory of 1616	3948	omsecor.exe	100
PID 1616 wrote to memory of 5060	1616	omsecor.exe	101
PID 1616 wrote to memory of 5060	1616	omsecor.exe	101
PID 1616 wrote to memory of 5060	1616	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\d0490e520e69d412290a6ca948852d60N.exe
"C:\Users\Admin\AppData\Local\Temp\d0490e520e69d412290a6ca948852d60N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
c4bc452d151abc1bc1cad632ce5bde17

SHA1
ff96c3a3d293437eb741ae4041c6ed48957952b6

SHA256
9c3c4fbf21400205174831f373375db24df4e16387f29b691064a1a1f6f5b142

SHA512
ac10b9a5ff3b60b76e2c585256aa0ac2bf42ff0afc3b7f2c2f911dad2a631f8053db515a4332121de7a42162c5dc98651aa855c8b6a08c30d1a38cbf70fe7007

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
a33639287cb58ec23fe6eb8e66eacca8

SHA1
04491a59cc6d3166a7e4970066719a9306071821

SHA256
253ddd7587b3938af93bb5055f95ad1f6282398c0afeabb8f27d68d0fe1a8859

SHA512
b966e2e93ec271a8131e8ed495f9ee15fded7b63b21a5b0e21520d48c793af473d56750cf4cbe50dec672bee4e1d522a8ade6b318d24c780c48b3af4d3014a51

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
6e684c483a4464d51d9dbee8b94a8114

SHA1
5a78f263b775ea20cfe85a67e555997df90f9103

SHA256
fdf1e14edcb34bfad66fac131f7a7484ae5780efa735a1d0dcbd29b2c2569fb7

SHA512
df61313f0e5b13db7321f099dcfa1f6adf64faeb65134a89c6eb72dfde803154fd98e83a3074140f79dbfeac68214dfe751dc1d76252dddd93104e3ef5324032

Download Submit
memory/1616-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1616-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3948-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3948-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3948-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3948-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3948-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3948-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4956-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4956-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5060-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5060-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing