neconyd | c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbb

General

Target

c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe
Size

35KB
MD5

01b3ec57aee78f05e3d2a88846a1f0f0
SHA1

e280f54763bbb4148c3ad8619ad84e8796db60a7
SHA256

c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbb
SHA512

13fa6572c71cec96307d20f04bb0a3ad0cd67940a7f08d6abe634b103b80841b7a56630b2b2cb030afcadcee459eebf31ca577779fd09c65c2a6d81f01051119
SSDEEP

768:Z6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:08Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
4472	omsecor.exe
2212	omsecor.exe
3024	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2044-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000900000002346e-3.dat	upx
behavioral2/memory/4472-4-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2044-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4472-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4472-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4472-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4472-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0002000000022357-17.dat	upx
behavioral2/memory/2212-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4472-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000900000002346e-24.dat	upx
behavioral2/memory/3024-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2212-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3024-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4472	2044	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe	82
PID 2044 wrote to memory of 4472	2044	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe	82
PID 2044 wrote to memory of 4472	2044	c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe	82
PID 4472 wrote to memory of 2212	4472	omsecor.exe	92
PID 4472 wrote to memory of 2212	4472	omsecor.exe	92
PID 4472 wrote to memory of 2212	4472	omsecor.exe	92
PID 2212 wrote to memory of 3024	2212	omsecor.exe	93
PID 2212 wrote to memory of 3024	2212	omsecor.exe	93
PID 2212 wrote to memory of 3024	2212	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe
"C:\Users\Admin\AppData\Local\Temp\c4e305814994e147de0040701fb2c04ada6a92647a6d1a6f7a09c5395726adbbN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
3ec6fd70924662df5ce81123c065ac99

SHA1
897cf1c289275cb58f1ca51d1ff11cc483f2edbb

SHA256
933f63269467f8081103414b19a3af891bee51432cc7715d4d6853bd95607aa9

SHA512
662e71aed13f721f61abd2a8bcbf9549d7228f74402d7b9c891b69d6460b945df477ea904383789512038389333d88cec91e826698c358b3ad4fc998b6ff9d1d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
8e1b84949a9ebd576a948c936101ea08

SHA1
d306da73aec6cb0e0146f4f42acb8b67ba6ce9aa

SHA256
ddba7a797d9274f81cd9b6b3952310f939dc3d0bae2ca1599ac3380ba78c4c87

SHA512
275e552f1ed34eafc068c1c02b3c7c39ed16e2f21513f57fdb624be54dcd7ce9e39a91271305d84cb632f07c80ad5f249d1c0e4e32ca957d2dd0a9788f550cca

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
72649df98463bf3f85549ebc5fb1e3be

SHA1
383505509331a2d7b069ba230c837c30009d1e4a

SHA256
f6ef25e3d55024cc0bd572a6a1fefecd431152bc8fba30fc79f2e27f808f68b5

SHA512
2141ab86afa8ab9590a10e81ebba3767164c9f9a2a79df3626e3afe086f746db98a52e9bb630fd6d288882cef95fcf02d7574d61cdfb8d7bc01811ef1cb96f96

Download Submit
memory/2044-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2044-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3024-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3024-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4472-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4472-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4472-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4472-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4472-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4472-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing