neconyd | d5ed867b43849cb147111867cb56ac2bbf060c2ce41e2b9209da1bb296e04c47

General

Target

77abc33ac719c9524c70618a0288a5c0N.exe
Size

35KB
MD5

77abc33ac719c9524c70618a0288a5c0
SHA1

1d2915a6b18b24e89f72b82a9465390dc101a362
SHA256

d5ed867b43849cb147111867cb56ac2bbf060c2ce41e2b9209da1bb296e04c47
SHA512

b2d7fd291a1a503a560e2e64ce2fe690e697311acecc60692397dac64c06972f76b1704018f322672ca91b148ff0d5fd114eeedfabc88cc7b3b5278b35cd68ba
SSDEEP

768:h6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:s8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2976	omsecor.exe
2696	omsecor.exe
1488	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
316	77abc33ac719c9524c70618a0288a5c0N.exe
316	77abc33ac719c9524c70618a0288a5c0N.exe
2976	omsecor.exe
2976	omsecor.exe
2696	omsecor.exe
2696	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/316-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-2.dat	upx
behavioral1/memory/316-4-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/2976-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/316-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2976-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2976-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2976-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2976-24-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-28.dat	upx
behavioral1/memory/2696-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2976-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-38.dat	upx
behavioral1/memory/2696-40-0x00000000001B0000-0x00000000001DD000-memory.dmp	upx
behavioral1/memory/2696-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1488-49-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1488-50-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77abc33ac719c9524c70618a0288a5c0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 2976	316	77abc33ac719c9524c70618a0288a5c0N.exe	30
PID 316 wrote to memory of 2976	316	77abc33ac719c9524c70618a0288a5c0N.exe	30
PID 316 wrote to memory of 2976	316	77abc33ac719c9524c70618a0288a5c0N.exe	30
PID 316 wrote to memory of 2976	316	77abc33ac719c9524c70618a0288a5c0N.exe	30
PID 2976 wrote to memory of 2696	2976	omsecor.exe	33
PID 2976 wrote to memory of 2696	2976	omsecor.exe	33
PID 2976 wrote to memory of 2696	2976	omsecor.exe	33
PID 2976 wrote to memory of 2696	2976	omsecor.exe	33
PID 2696 wrote to memory of 1488	2696	omsecor.exe	34
PID 2696 wrote to memory of 1488	2696	omsecor.exe	34
PID 2696 wrote to memory of 1488	2696	omsecor.exe	34
PID 2696 wrote to memory of 1488	2696	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\77abc33ac719c9524c70618a0288a5c0N.exe
"C:\Users\Admin\AppData\Local\Temp\77abc33ac719c9524c70618a0288a5c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
1fc1b34c57dc76f7a62d034a3104a246

SHA1
48c81c30da674c9e0a3951340395f58b874c9189

SHA256
851706afb8a53f70aee74f29924241ed5eafe5c691e6260eecf598b41d16d352

SHA512
b8c7db882474c2f6ee41f0d6835de6328d22cac2151e569bcac0a30965e78dc739e6aa99f0b2a37ba882029007f38de3ff583c3e58b87fdb5701762731ecfdae

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
00571154304a6edceb3d98573fe97cd6

SHA1
a41483509cf2c05555e17045c6936b27c805d226

SHA256
dc3623213a3a89641041b5cf63059ebc806a4264b4a986cd253184fbc50f6500

SHA512
90ba8a250b714b3f87490772429178760c55f809f34e9061a708503d1aeb3557e8f19d16cea7691bf7cc608e2d8c6da5122d86171304506cc875e821c58550e4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
2df3f0aa75cfc88a2ce684ad06541cba

SHA1
ae7125b545af76b2aa308038cfe96cd703ff6269

SHA256
6fc83cb608bacfb1018cb9a1af873e8f5f629fb97d4dc783c6b7f2ab75a8cd71

SHA512
ab0e9dc01296e964c3bbd8568433bcf3ac5736f15323b6959face9eba99d96ae8a335e3c48d53e2b0dc51dfd55e2c2ccb5e59d78067e82f57c5f9ebe1606664b

Download Submit
memory/316-4-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/316-10-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/316-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/316-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-50-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-49-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2696-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2696-40-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2696-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2976-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing