neconyd | 4c9b7dfdee5be1f7f0a9cf8f956356b714af56ea4d0be0d68fbddbbbd1d45b83

General

Target

00a315aaac97173b5fe64ad100cb4e50N.exe
Size

35KB
MD5

00a315aaac97173b5fe64ad100cb4e50
SHA1

e921047c84a3b220d49977e77774c2d23fa28513
SHA256

4c9b7dfdee5be1f7f0a9cf8f956356b714af56ea4d0be0d68fbddbbbd1d45b83
SHA512

1ef40587b1142e5a112847e4517703e1f9a50a1c672902fb3d0c34fc8bcf39724c80bf78c4180209a3ac458a526c288ffb95a4087f58b991bf39e679547d3366
SSDEEP

768:j6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:e8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2580	omsecor.exe
608	omsecor.exe
1360	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2604	00a315aaac97173b5fe64ad100cb4e50N.exe
2604	00a315aaac97173b5fe64ad100cb4e50N.exe
2580	omsecor.exe
2580	omsecor.exe
608	omsecor.exe
608	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2604-4-0x00000000001B0000-0x00000000001DD000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-12.dat	upx
behavioral1/memory/2604-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2580-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2580-17-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2580-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2580-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x00310000000162f6-25.dat	upx
behavioral1/memory/2580-26-0x0000000000290000-0x00000000002BD000-memory.dmp	upx
behavioral1/memory/2580-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-37.dat	upx
behavioral1/memory/608-39-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/608-45-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1360-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00a315aaac97173b5fe64ad100cb4e50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2580	2604	00a315aaac97173b5fe64ad100cb4e50N.exe	29
PID 2604 wrote to memory of 2580	2604	00a315aaac97173b5fe64ad100cb4e50N.exe	29
PID 2604 wrote to memory of 2580	2604	00a315aaac97173b5fe64ad100cb4e50N.exe	29
PID 2604 wrote to memory of 2580	2604	00a315aaac97173b5fe64ad100cb4e50N.exe	29
PID 2580 wrote to memory of 608	2580	omsecor.exe	31
PID 2580 wrote to memory of 608	2580	omsecor.exe	31
PID 2580 wrote to memory of 608	2580	omsecor.exe	31
PID 2580 wrote to memory of 608	2580	omsecor.exe	31
PID 608 wrote to memory of 1360	608	omsecor.exe	32
PID 608 wrote to memory of 1360	608	omsecor.exe	32
PID 608 wrote to memory of 1360	608	omsecor.exe	32
PID 608 wrote to memory of 1360	608	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\00a315aaac97173b5fe64ad100cb4e50N.exe
"C:\Users\Admin\AppData\Local\Temp\00a315aaac97173b5fe64ad100cb4e50N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
6f3b7e99495037e649d56b3dc2caa544

SHA1
f7f77af41d722fa0ebb16c7349f268dac5466014

SHA256
03bddd16e186ae253d3e89363c8e5f0aa3fee3bad5499908d06d7316186e3753

SHA512
56f03a4ef0174c754d3e1411ac8dbef9e442caf5d34afa9f2161146e0ed5fa48392321cd0fe46dac86576ae47533eb124808666c853af799ee3638f73a1db3bb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
a81eb1d05b00598005fb3084ef2d888c

SHA1
cf7fe9731ce3322249cb78b0f3f4f6b5350238e2

SHA256
4c6883b33db2331c394e5987be468587d4139e988da7ea8a502cc94176f60048

SHA512
d06b1e224e204cf00db0c9d8306e57b37a0d3577d828a4744d94f35e79fed7a2ab21c3b9e3c2c76f4ea1383ea6081fcea3553e719a9ce6c7900d94ee77a9d6aa

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
b5585eca0a07ac0b135e20c7df48ee60

SHA1
daa518b0bc7f3d221f4412c5ab6339f6142fd0da

SHA256
3b468651a3fcfe38a3afdffee22b8bfc1b04cd2516a908ceddea5640ab0f1d54

SHA512
0e63caa9993c58cbb650232e8064785fc271fa1dce3718503e3781e0e547071f7f6bfeeb7a51943ef033e54de2459e0bbc64291c14f51c0cb4f5d332113b0662

Download Submit
memory/608-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/608-39-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1360-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-17-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-26-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/2580-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2604-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2604-10-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2604-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2604-4-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing