neconyd | a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556

General

Target

a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe
Size

35KB
MD5

b0bd109c60255dcd32db9c51f2ec1825
SHA1

bea0a5a2e7eb0cb50dbae1afc6f1407e9a87e25d
SHA256

a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556
SHA512

e4857a4018d3bbb3bcfd59fe147ce9f8a752ea581ab3ec28f10bf58e6537a1911dbedf4f86ef2b4588383d1c94b95dc0e8963dc21e9babfb825774136f0a92ea
SSDEEP

768:R6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:c8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
3000	omsecor.exe
4112	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4744-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x00090000000233ea-4.dat	upx
behavioral2/memory/4744-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3000-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3000-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3000-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3000-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3000-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4112-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000023459-17.dat	upx
behavioral2/memory/3000-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4112-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4112-24-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3000	4744	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe	83
PID 4744 wrote to memory of 3000	4744	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe	83
PID 4744 wrote to memory of 3000	4744	a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe	83
PID 3000 wrote to memory of 4112	3000	omsecor.exe	97
PID 3000 wrote to memory of 4112	3000	omsecor.exe	97
PID 3000 wrote to memory of 4112	3000	omsecor.exe	97

C:\Users\Admin\AppData\Local\Temp\a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe
"C:\Users\Admin\AppData\Local\Temp\a39a55ed6f715fed9bdfdd37f309f545e2d8f6ee3351366f8594ec52bbd5f556.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
00cc9190d5632e8d2d250094871d8c94

SHA1
7ceb3ee4d87d175c2a4a1342fae1dadf25d58453

SHA256
d555e555f7dcd8ca17bc94216bcb6edea15f14e8f15f655b9d494d06bdd3c56d

SHA512
b59003eb9a5256dfd729b36d80d8d6dc005d2fb03dad61bca7432369bb11e4dc137088b282364896aced2e6e7f6d6f39953a8968747f4356beee33c85ca17ba9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
6591179ed8bdcc30d71793b97ebc71b5

SHA1
b129c5bafc8f259669274cf5af35695e5be0ef8d

SHA256
640c9042a0228d2c9ae02929ea011dc0743e92910251adc81fccbd73e4654f55

SHA512
3f01fee1def603953731bae4c63249712d7f1025633c57023c3ae7651b93ce70e9e4cfbf53bfd44cd7db12fd02682c477b3c20fd86684a61fcd93d1ce40c5dc3

Download Submit
memory/3000-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3000-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3000-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3000-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3000-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3000-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4112-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4112-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4112-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4744-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4744-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing