neconyd | f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe
Size

248KB
MD5

e2d2958b62fbbde73e1bb9a09c4c4020
SHA1

048e58aa6778b255ad9f0352bb669889d323f922
SHA256

f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938
SHA512

13d9a410f272ae337e7e6650838c473b9cb2cd3a5702a9944247359366c66cf6aa02fda3717cdf22ec2b8e1bac6c2abe7eacd748a80c2d75bd4132473ef641d4
SSDEEP

1536:G4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:GIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
4820	omsecor.exe
1588	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4252-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000900000002340c-3.dat	upx
behavioral2/memory/4820-4-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4252-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4820-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000c000000021a6e-10.dat	upx
behavioral2/memory/4820-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/1588-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/1588-14-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 4820	4252	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe	82
PID 4252 wrote to memory of 4820	4252	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe	82
PID 4252 wrote to memory of 4820	4252	f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe	82
PID 4820 wrote to memory of 1588	4820	omsecor.exe	92
PID 4820 wrote to memory of 1588	4820	omsecor.exe	92
PID 4820 wrote to memory of 1588	4820	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe
"C:\Users\Admin\AppData\Local\Temp\f4a8d01eb9a50a2fbd5326ecf03c5cfdffffa21b7dd5bb64169079fc582be938N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
d7f5f95ec0db0c443fc4c63e2197aa96

SHA1
33282e1bc182b786f60bd4bba92c4d3e1018f1dd

SHA256
ece77c7aa8ddc70dc0477b2047edc0a0cfaf133a76a730df3de81d3486a9de64

SHA512
a816cba95386a27f9c70a2c122dfaf2b042315138fe2ce506af8a820432a78783baaa0a56dc0834fa314144260ce06088fbe16f88c87a634f81a5ad5219e3c2d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
d059ba14121a9535b626f16bc9173bc5

SHA1
efa00c3adbe238e47d05d56f9924f4aadc911f44

SHA256
4817c3cc14a6c4a939877ca38593b1a2a878ed34cc5b46bb9c4bd098d0bbc6ec

SHA512
4f49ecdaf3a2f3df2658c07658812aedabc6f99becef1140b19603872cf3cb50ff97c1da4d0aa792ffe9801b5d418a8d72458bf166ad9a4110953540a7ea5d92

Download Submit
memory/1588-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download