neconyd | d5ed867b43849cb147111867cb56ac2bbf060c2ce41e2b9209da1bb296e04c47

General

Target

77abc33ac719c9524c70618a0288a5c0N.exe
Size

35KB
MD5

77abc33ac719c9524c70618a0288a5c0
SHA1

1d2915a6b18b24e89f72b82a9465390dc101a362
SHA256

d5ed867b43849cb147111867cb56ac2bbf060c2ce41e2b9209da1bb296e04c47
SHA512

b2d7fd291a1a503a560e2e64ce2fe690e697311acecc60692397dac64c06972f76b1704018f322672ca91b148ff0d5fd114eeedfabc88cc7b3b5278b35cd68ba
SSDEEP

768:h6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:s8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
1840	omsecor.exe
2824	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2040-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000800000002346c-3.dat	upx
behavioral2/memory/1840-4-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2040-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1840-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1840-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1840-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1840-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000c000000021a4a-17.dat	upx
behavioral2/memory/2824-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1840-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2824-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77abc33ac719c9524c70618a0288a5c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1840	2040	77abc33ac719c9524c70618a0288a5c0N.exe	83
PID 2040 wrote to memory of 1840	2040	77abc33ac719c9524c70618a0288a5c0N.exe	83
PID 2040 wrote to memory of 1840	2040	77abc33ac719c9524c70618a0288a5c0N.exe	83
PID 1840 wrote to memory of 2824	1840	omsecor.exe	97
PID 1840 wrote to memory of 2824	1840	omsecor.exe	97
PID 1840 wrote to memory of 2824	1840	omsecor.exe	97

C:\Users\Admin\AppData\Local\Temp\77abc33ac719c9524c70618a0288a5c0N.exe
"C:\Users\Admin\AppData\Local\Temp\77abc33ac719c9524c70618a0288a5c0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
1fc1b34c57dc76f7a62d034a3104a246

SHA1
48c81c30da674c9e0a3951340395f58b874c9189

SHA256
851706afb8a53f70aee74f29924241ed5eafe5c691e6260eecf598b41d16d352

SHA512
b8c7db882474c2f6ee41f0d6835de6328d22cac2151e569bcac0a30965e78dc739e6aa99f0b2a37ba882029007f38de3ff583c3e58b87fdb5701762731ecfdae

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
a29ef3553ecb134b6d2d0633bd3f235f

SHA1
2b175d29a1b5bf81b584fa692410c32c117f428d

SHA256
9d19f65bafe1c2fce2c29da5a3959480ec55e95da8cc77a795941ec46af6f0e3

SHA512
bff809ccd22296d6baa2f62b0bda761e8337b058f83c362500b1b99f6825ccd3caa0f6e5f2c80b975353c2e3838dc382d099f6c00949129c8a4d21429fecc27e

Download Submit
memory/1840-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1840-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1840-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1840-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1840-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1840-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2040-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2040-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2824-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2824-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing