neconyd | a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556

General

Target

a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe
Size

35KB
MD5

b0bd109c60255dcd32db9c51f2ec1825
SHA1

bea0a5a2e7eb0cb50dbae1afc6f1407e9a87e25d
SHA256

a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556
SHA512

e4857a4018d3bbb3bcfd59fe147ce9f8a752ea581ab3ec28f10bf58e6537a1911dbedf4f86ef2b4588383d1c94b95dc0e8963dc21e9babfb825774136f0a92ea
SSDEEP

768:R6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:c8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2784	omsecor.exe
2988	omsecor.exe
1104	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2632	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe
2632	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe
2784	omsecor.exe
2784	omsecor.exe
2988	omsecor.exe
2988	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2632-1-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000a000000012029-9.dat	upx
behavioral1/memory/2784-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2784-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2784-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2784-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2784-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-24.dat	upx
behavioral1/memory/2784-25-0x0000000000280000-0x00000000002AD000-memory.dmp	upx
behavioral1/memory/2784-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000a000000012029-36.dat	upx
behavioral1/memory/2988-38-0x00000000002F0000-0x000000000031D000-memory.dmp	upx
behavioral1/memory/2988-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1104-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1104-50-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2784	2632	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe	30
PID 2632 wrote to memory of 2784	2632	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe	30
PID 2632 wrote to memory of 2784	2632	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe	30
PID 2632 wrote to memory of 2784	2632	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe	30
PID 2784 wrote to memory of 2988	2784	omsecor.exe	33
PID 2784 wrote to memory of 2988	2784	omsecor.exe	33
PID 2784 wrote to memory of 2988	2784	omsecor.exe	33
PID 2784 wrote to memory of 2988	2784	omsecor.exe	33
PID 2988 wrote to memory of 1104	2988	omsecor.exe	34
PID 2988 wrote to memory of 1104	2988	omsecor.exe	34
PID 2988 wrote to memory of 1104	2988	omsecor.exe	34
PID 2988 wrote to memory of 1104	2988	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe
"C:\Users\Admin\AppData\Local\Temp\a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
00cc9190d5632e8d2d250094871d8c94

SHA1
7ceb3ee4d87d175c2a4a1342fae1dadf25d58453

SHA256
d555e555f7dcd8ca17bc94216bcb6edea15f14e8f15f655b9d494d06bdd3c56d

SHA512
b59003eb9a5256dfd729b36d80d8d6dc005d2fb03dad61bca7432369bb11e4dc137088b282364896aced2e6e7f6d6f39953a8968747f4356beee33c85ca17ba9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
d63b1d5cc2c621eef2a9f8caeb22ac28

SHA1
85e658e56cad9b8bb826a5cd05f196f6382a2220

SHA256
866e2d3dd5063186eccc89057982ad325997ba32ff496b469cb2236796bb506c

SHA512
03a1a70147aa3657f9209eebe9b44d7101840ef837a704f1bd74a7b940be8234cd509bbfdff29888e99b929b469379ced6189da0801a9e11cf9e06e4004e2e06

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
1cf8d4d2105c173fb66e4998f33112a6

SHA1
84ac52ef68bf47bcb3568f531e002bc16aea2e80

SHA256
bc80e63cefa392d2c4db9fdc92455951ef49e3884811dd262cf6c122174b0e5c

SHA512
7ffe896843a60985aea8d7f334cd6a72e5a4c6b96e46b64c48aac816053b88e47f8c6e035e8889c8669118276360cf81e0f308be643534a23dc83b68c26ac77d

Download Submit
memory/1104-50-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1104-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2632-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2784-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2784-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2784-25-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/2784-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2784-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2784-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2784-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2988-38-0x00000000002F0000-0x000000000031D000-memory.dmp

Filesize
180KB

Download
memory/2988-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing