neconyd | f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938

General

Target

f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe
Size

248KB
MD5

e2d2958b62fbbde73e1bb9a09c4c4020
SHA1

048e58aa6778b255ad9f0352bb669889d323f922
SHA256

f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938
SHA512

13d9a410f272ae337e7e6650838c473b9cb2cd3a5702a9944247359366c66cf6aa02fda3717cdf22ec2b8e1bac6c2abe7eacd748a80c2d75bd4132473ef641d4
SSDEEP

1536:G4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:GIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2388	omsecor.exe
1872	omsecor.exe
1640	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2504	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe
2504	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe
2388	omsecor.exe
2388	omsecor.exe
1872	omsecor.exe
1872	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000b00000001225a-7.dat	upx
behavioral1/memory/2388-10-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2388-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0008000000015d7f-15.dat	upx
behavioral1/memory/2388-17-0x0000000000310000-0x000000000034E000-memory.dmp	upx
behavioral1/memory/1872-26-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2388-22-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000b00000001225a-27.dat	upx
behavioral1/memory/1640-35-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2388	2504	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe	30
PID 2504 wrote to memory of 2388	2504	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe	30
PID 2504 wrote to memory of 2388	2504	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe	30
PID 2504 wrote to memory of 2388	2504	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe	30
PID 2388 wrote to memory of 1872	2388	omsecor.exe	33
PID 2388 wrote to memory of 1872	2388	omsecor.exe	33
PID 2388 wrote to memory of 1872	2388	omsecor.exe	33
PID 2388 wrote to memory of 1872	2388	omsecor.exe	33
PID 1872 wrote to memory of 1640	1872	omsecor.exe	34
PID 1872 wrote to memory of 1640	1872	omsecor.exe	34
PID 1872 wrote to memory of 1640	1872	omsecor.exe	34
PID 1872 wrote to memory of 1640	1872	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe
"C:\Users\Admin\AppData\Local\Temp\f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
d7f5f95ec0db0c443fc4c63e2197aa96

SHA1
33282e1bc182b786f60bd4bba92c4d3e1018f1dd

SHA256
ece77c7aa8ddc70dc0477b2047edc0a0cfaf133a76a730df3de81d3486a9de64

SHA512
a816cba95386a27f9c70a2c122dfaf2b042315138fe2ce506af8a820432a78783baaa0a56dc0834fa314144260ce06088fbe16f88c87a634f81a5ad5219e3c2d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
5a888dd1d6558c7cf201a3e94470bbf3

SHA1
22d8abf04331ab895493d5847bf2edfe009abfe1

SHA256
3a1077bfe36c10da8a3bce1663390c7e5bd870d5ca849cc93a52a57ed46a108b

SHA512
66e67761c01bdb4541a4364e020b1a0587e86b9de6a85302d12f19ea9ca67d98eff098c721595ccdff0f4d9bc3c04fb96bb7f9be044f93780657131d3fab7f5d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
1cd56270ee807e40fa82e4d48a0d568c

SHA1
e10a1be3249b259cf1121a14199f66f0c202121b

SHA256
3257319b7e6b446fa16558c5677fc47ceac1a809870bfd2f457ac99900dbd486

SHA512
ebe1fc61967afda84893a8e526515180438acf8505ea37745059a837c4453e8e6d77e9a3fdd01a802bba9677a8be023609f57f145b1c618a02d345dfa5521ef6

Download Submit
memory/1640-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1872-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-17-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2388-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing