neconyd | a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8

General

Target

a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe
Size

248KB
MD5

9b3e14c2bae26abd3abab764a48978b0
SHA1

5bb632e94d0ac6a0b627aa81611a2d2efa7d7672
SHA256

a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8
SHA512

4c0b7213956414f3b2c9fc4eaf4855515393531e619e3106aa7f6de74bef5f6682edf6a468777234476d2bb33f05767a59bd73b6523c77a688c4f4182ddcca84
SSDEEP

1536:/4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:/IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2560	omsecor.exe
2944	omsecor.exe
2716	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2992	a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe
2992	a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe
2560	omsecor.exe
2560	omsecor.exe
2944	omsecor.exe
2944	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2992-1-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0009000000012255-2.dat	upx
behavioral1/memory/2560-10-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2560-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x001300000001705d-15.dat	upx
behavioral1/memory/2560-16-0x00000000004B0000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2560-22-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0009000000012255-26.dat	upx
behavioral1/memory/2944-29-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/memory/2716-35-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2944-34-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2716-37-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2560	2992	a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe	30
PID 2992 wrote to memory of 2560	2992	a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe	30
PID 2992 wrote to memory of 2560	2992	a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe	30
PID 2992 wrote to memory of 2560	2992	a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe	30
PID 2560 wrote to memory of 2944	2560	omsecor.exe	32
PID 2560 wrote to memory of 2944	2560	omsecor.exe	32
PID 2560 wrote to memory of 2944	2560	omsecor.exe	32
PID 2560 wrote to memory of 2944	2560	omsecor.exe	32
PID 2944 wrote to memory of 2716	2944	omsecor.exe	33
PID 2944 wrote to memory of 2716	2944	omsecor.exe	33
PID 2944 wrote to memory of 2716	2944	omsecor.exe	33
PID 2944 wrote to memory of 2716	2944	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe
"C:\Users\Admin\AppData\Local\Temp\a04e318e694d783b4fe4647914e8930333524fbc42de244a854b817a78baf0e8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
c8157abb1b1e26f5b150fe05aa38fcd0

SHA1
f441fc51bec5b50e0c8c2fd6307a6186ddadb339

SHA256
c050b75c86f52cb86a3ddbfb23cc8c987591bcd9900e31c5f5b782babdf9e9b8

SHA512
aeda9006e412ab8c96b77c7971316c3d6f980b755832006590c0e2a026ad2c1e268c91e1ff40a492e23da3bf918c47333393bc91697d0084208794b00d2a8953

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
e6e26e9c4177c394d28ad4a63d9dee9b

SHA1
effe35342a516858e6a5404f14e1f5a5aaeabb37

SHA256
6437ff15b71cbec391ac44061677a45d575e33b28c6e755e62f4dc84e0c84faf

SHA512
f479299936d9c858f7bb0184475c29c7cb0fcfe1f9cb363c520a2fe6d4e797cb66622287a1f96059d27675b2052ef91ac641d6b68a8cd9e5ff00fac60798fc60

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
b7249ca1f70a57d2ad705eb76f7d576d

SHA1
2a288081ab9c00ec016835524204a5cf2d2f441a

SHA256
2ed674afe15f45a782b34ac0419e000e65ede7e8f920703984791f1f8d232aea

SHA512
4e5eb02911e56362e9cb1a612046b4c6d5427a933ab43e47f66569e17651da5876f1a99bb56b276f62962b1e2273b5d6e91b2777c6415fbda511fb96460aaaa5

Download Submit
memory/2560-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-16-0x00000000004B0000-0x00000000004EE000-memory.dmp

Filesize
248KB

Download
memory/2560-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-29-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2944-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing