neconyd | 9534fad1e1065adc707382be5c0b42273236d9697059b902801caf5f08659e93

General

Target

9eb2486f2c16ac17a914d2ac046aa100N.exe
Size

35KB
MD5

9eb2486f2c16ac17a914d2ac046aa100
SHA1

d5419f3c2ebd6d4d076bd50ce9640889fa12256b
SHA256

9534fad1e1065adc707382be5c0b42273236d9697059b902801caf5f08659e93
SHA512

8e171907e8dde0f15efa3cc2cc9c5b8ed5201d739fa8970dea1b22501ee8edd5e719e90eb51352225d9640412bc5431814e99750c855cddcc1916a0f8a12d315
SSDEEP

768:A6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:X8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
3064	omsecor.exe
2804	omsecor.exe
2204	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3588-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3588-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x00080000000234c9-7.dat	upx
behavioral2/memory/3064-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3064-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3064-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3064-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3064-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000c0000000217b7-18.dat	upx
behavioral2/memory/2804-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3064-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x00080000000234c9-25.dat	upx
behavioral2/memory/2204-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2804-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2204-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eb2486f2c16ac17a914d2ac046aa100N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 3064	3588	9eb2486f2c16ac17a914d2ac046aa100N.exe	83
PID 3588 wrote to memory of 3064	3588	9eb2486f2c16ac17a914d2ac046aa100N.exe	83
PID 3588 wrote to memory of 3064	3588	9eb2486f2c16ac17a914d2ac046aa100N.exe	83
PID 3064 wrote to memory of 2804	3064	omsecor.exe	97
PID 3064 wrote to memory of 2804	3064	omsecor.exe	97
PID 3064 wrote to memory of 2804	3064	omsecor.exe	97
PID 2804 wrote to memory of 2204	2804	omsecor.exe	98
PID 2804 wrote to memory of 2204	2804	omsecor.exe	98
PID 2804 wrote to memory of 2204	2804	omsecor.exe	98

C:\Users\Admin\AppData\Local\Temp\9eb2486f2c16ac17a914d2ac046aa100N.exe
"C:\Users\Admin\AppData\Local\Temp\9eb2486f2c16ac17a914d2ac046aa100N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
555f0d0ba981f68ac7023e38886ea8a6

SHA1
3369f65d80f91db53a122820373e724ed09eef6b

SHA256
0dc804dc7a0e68be9c753ed9537de19a4ecd01a07f1276a6dd12c410c3c45324

SHA512
011fa6934bfaaef1ccd26f8c9a5ee4e370c6816320fcfbf55fdabc772f90dbd1232c94267a92267e40466ea8aa773d693bd9ab8cda1719d76d47a300df1eca27

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
73c967aa14b9a97b2a554d00794ab542

SHA1
28652e33b271ef3592667edff54e75fd5fb1c177

SHA256
f8e3d044029279e74afeede61196e1adf5aa851a81b13daeb741a577b9d7bb78

SHA512
0b8d3786dad5b9b2a23db584c1a0623a6f2c07bb99c17e2f19255f7912c3fdd5bdfcaa88d530b968be13aaf5938339e77db14726f1b5d257f6f7fd5d57dcc6a4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
f60d2e7ca988fa1e25ff3ba6b93618a4

SHA1
469d6fb5f31e768b443e29656ba3e6bc6ee4e6fc

SHA256
52a96a2b1d2c709037a3b649a66145feaddbf65cc699f261462ccdeffea533ae

SHA512
8ea8f4ef6a1b995aa7ec341ee2835cba16ae9412e1d079b44e44685c5b3d6d4874d11e5408f7bee53e814bfd3d3ed08b665d6600e11f4588a0fa775955011ac8

Download Submit
memory/2204-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2204-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2804-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2804-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3588-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3588-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing