neconyd | 817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859

General

Target

817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe
Size

248KB
MD5

b4d115a8a413e7668705894360517410
SHA1

eb0f9bbdd11c2217cdd657bb51c79dbd8ba2475b
SHA256

817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859
SHA512

3cad08965a81cf13f0114165964ab8d294f4b7bbeab3a730feaba86aace4a39372594644bdfefb609e426e1ad5255423cbabb0336679f7c3210179e567c520a8
SSDEEP

1536:04d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:0IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2692	omsecor.exe
2436	omsecor.exe
3000	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe
1740	817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe
2692	omsecor.exe
2692	omsecor.exe
2436	omsecor.exe
2436	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1740-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0007000000012117-2.dat	upx
behavioral1/memory/2692-10-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1740-8-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2692-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-16.dat	upx
behavioral1/memory/2692-26-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2436-25-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0007000000012117-29.dat	upx
behavioral1/memory/3000-38-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2436-36-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3000-40-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2692	1740	817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe	30
PID 1740 wrote to memory of 2692	1740	817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe	30
PID 1740 wrote to memory of 2692	1740	817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe	30
PID 1740 wrote to memory of 2692	1740	817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe	30
PID 2692 wrote to memory of 2436	2692	omsecor.exe	33
PID 2692 wrote to memory of 2436	2692	omsecor.exe	33
PID 2692 wrote to memory of 2436	2692	omsecor.exe	33
PID 2692 wrote to memory of 2436	2692	omsecor.exe	33
PID 2436 wrote to memory of 3000	2436	omsecor.exe	34
PID 2436 wrote to memory of 3000	2436	omsecor.exe	34
PID 2436 wrote to memory of 3000	2436	omsecor.exe	34
PID 2436 wrote to memory of 3000	2436	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe
"C:\Users\Admin\AppData\Local\Temp\817855a4c5efbdf185bbfdfd4d9e90c023743f9015508726660dc478ee574859N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
7f59a526f8106b8907daaaeb7d1e2fce

SHA1
8c7dac0747a2646f9ce8d5715a805e87ebeba26b

SHA256
ff0a957a230a717a6aa44939e399bd19a0c5647b90ea0de5c7c0ebe2e7fbb936

SHA512
98d5c470f298905a7ad7f8b20a81beab4353249dfafb59214c018c0b1e0d802ff538853b9d68ef5320cf4492151c8a2107a236f1dc482326c5bfb5e869c5e27d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
66e46ae8efc3b154374d796390116bff

SHA1
34e0e1d13854053b5e6787002750517e400b0b67

SHA256
3b55f835e9b9ef3d7a1c6a2b2dcc4a004b56a7dd2af1c94073af08ba59b8653b

SHA512
e35674b8f599902b602e8a632715062ad57386c2249355deb294e59246ecb44399f1a6a4eb3a82d4bdf6624e749100e5127de2effdba410c5c482ddcd764c05a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
0fc433c04837f92b7a0cd08053a7b9f5

SHA1
407e72c519020134db72fd48083e78fd8de2f665

SHA256
e78174d74a6dc77da8d9766620e0c9fb17f1688a81f73ca7a8c066244c108a92

SHA512
3a863641534cbc489249f848f592beeea8db3c0dba4a97aa09d6e5900e33be54a8cee97a2737928bf1e8463e17c83465c8b38dc6a83e21f952c8c5a7c11cebb4

Download Submit
memory/1740-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-35-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2436-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-18-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2692-23-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2692-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing