neconyd | c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbb

General

Target

c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe
Size

35KB
MD5

01b3ec57aee78f05e3d2a88846a1f0f0
SHA1

e280f54763bbb4148c3ad8619ad84e8796db60a7
SHA256

c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbb
SHA512

13fa6572c71cec96307d20f04bb0a3ad0cd67940a7f08d6abe634b103b80841b7a56630b2b2cb030afcadcee459eebf31ca577779fd09c65c2a6d81f01051119
SSDEEP

768:Z6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:08Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
3020	omsecor.exe
2004	omsecor.exe
2016	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2344	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe
2344	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe
3020	omsecor.exe
3020	omsecor.exe
2004	omsecor.exe
2004	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000d0000000122e4-2.dat	upx
behavioral1/memory/2344-4-0x00000000003A0000-0x00000000003CD000-memory.dmp	upx
behavioral1/memory/2344-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3020-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3020-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3020-17-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3020-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3020-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-27.dat	upx
behavioral1/memory/2004-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3020-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000d0000000122e4-38.dat	upx
behavioral1/memory/2004-40-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/2004-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2016-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2016-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3020	2344	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe	30
PID 2344 wrote to memory of 3020	2344	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe	30
PID 2344 wrote to memory of 3020	2344	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe	30
PID 2344 wrote to memory of 3020	2344	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe	30
PID 3020 wrote to memory of 2004	3020	omsecor.exe	33
PID 3020 wrote to memory of 2004	3020	omsecor.exe	33
PID 3020 wrote to memory of 2004	3020	omsecor.exe	33
PID 3020 wrote to memory of 2004	3020	omsecor.exe	33
PID 2004 wrote to memory of 2016	2004	omsecor.exe	34
PID 2004 wrote to memory of 2016	2004	omsecor.exe	34
PID 2004 wrote to memory of 2016	2004	omsecor.exe	34
PID 2004 wrote to memory of 2016	2004	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe
"C:\Users\Admin\AppData\Local\Temp\c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
8e1b84949a9ebd576a948c936101ea08

SHA1
d306da73aec6cb0e0146f4f42acb8b67ba6ce9aa

SHA256
ddba7a797d9274f81cd9b6b3952310f939dc3d0bae2ca1599ac3380ba78c4c87

SHA512
275e552f1ed34eafc068c1c02b3c7c39ed16e2f21513f57fdb624be54dcd7ce9e39a91271305d84cb632f07c80ad5f249d1c0e4e32ca957d2dd0a9788f550cca

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
1a7754b5618e9c1fbd2e4348a0a0868c

SHA1
74dad70c73abcacca4f5a6921fcc8520296b89ea

SHA256
865e2f92def2264051981dfad1eeea1cc987bdc8b136e96d77fdec24f3f88f3c

SHA512
634c7e3422178d5c95086a5a13efb69d7cfb1482f4a1cc9d4d9c540f4fc377dce6059c38d4b4712a87e6a4f06439a5d1452c7689ff1e56c78fc8490b7a99ab9e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
8dd7face000cd837373779203b3f1603

SHA1
0b48235e051540c14520b0e398abfabb5927bd01

SHA256
10af671c5e06168efaf1bcb5a393d5c6dbea4dc4ec20c9a61adcbcaf82d229be

SHA512
a0a7711d6cb0eead1c4b26ede62fa8f8623da0e398580dd4cb62c1663ecdffd982a03511e9e246f2e98a9f8a25ced02de7a575f395489fc2f57926e8b09fe46a

Download Submit
memory/2004-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2004-40-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2004-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2016-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2016-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-4-0x00000000003A0000-0x00000000003CD000-memory.dmp

Filesize
180KB

Download
memory/2344-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3020-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3020-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3020-33-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/3020-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3020-17-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3020-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3020-50-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/3020-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing