neconyd | 72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233

General

Target

72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
Size

248KB
MD5

cb9a9db3e21843a9a051a52d2b53a290
SHA1

09eb7fb0f9991cd659bd3bb4d30593c16cc5aa2a
SHA256

72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233
SHA512

b965d755ec7fa481b707fca08a56e4664a51434b7fdead42e6e465a03191bd59d5cae9005b2698bfbef4ed659d57f046f6c4fc07b79c5ca5d969b4d60e39f427
SSDEEP

1536:N4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:NIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1928	omsecor.exe
3024	omsecor.exe
2884	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
2336	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
1928	omsecor.exe
1928	omsecor.exe
3024	omsecor.exe
3024	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-1-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-4.dat	upx
behavioral1/memory/1928-9-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1928-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-15.dat	upx
behavioral1/memory/1928-16-0x0000000000320000-0x000000000035E000-memory.dmp	upx
behavioral1/memory/1928-22-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-26.dat	upx
behavioral1/memory/3024-34-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3024-32-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/memory/2884-37-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1928	2336	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe	30
PID 2336 wrote to memory of 1928	2336	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe	30
PID 2336 wrote to memory of 1928	2336	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe	30
PID 2336 wrote to memory of 1928	2336	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe	30
PID 1928 wrote to memory of 3024	1928	omsecor.exe	33
PID 1928 wrote to memory of 3024	1928	omsecor.exe	33
PID 1928 wrote to memory of 3024	1928	omsecor.exe	33
PID 1928 wrote to memory of 3024	1928	omsecor.exe	33
PID 3024 wrote to memory of 2884	3024	omsecor.exe	34
PID 3024 wrote to memory of 2884	3024	omsecor.exe	34
PID 3024 wrote to memory of 2884	3024	omsecor.exe	34
PID 3024 wrote to memory of 2884	3024	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
"C:\Users\Admin\AppData\Local\Temp\72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
f2f9984da3f794106ad66efe8eedc41d

SHA1
a05c825299c390e2b2ea9dd0a5bc102c1a3673f9

SHA256
bb2e6e34015a989642e861974fe8cd79e25df47fdd546ecc68b8ddbac8538f44

SHA512
752163b8c21bc58e3adf51811b905701cfce9b0ebe721ae3408f5df94f6ef27a759153f4a8da085473ca463e384e84963be489739b4fd367ab5a8b2d41299997

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
3077688e9f0e52130136acce595b635d

SHA1
e7ed932981f5b02422eb67796d4d8b445fd5476f

SHA256
215f905c81b9b0e195489955b0e0f32c0af1557ad346f8b632a29c74c84fd7ac

SHA512
2bea727ef0ca55bac277d16c65ed41d20a71d920aba8e085c0abc6d4e791a0372eda330a08a64c5d8f74cc090466a943f4ff236fcdbb3194986872a59c6a4b56

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
86d32397655189563a98662b9b16d951

SHA1
38d21454e549e28486e71367808d6b8a4472dedd

SHA256
74b3c9b45a8482f70c57c83ec523fd2d87c41092499765466d34c7f0b3b4c407

SHA512
52a1b754e5c8c2706d00ee209c669f8626369ccdfbfde5a6366bea99702a9dba24eb339a153727ff86356c71cdd08458f59f10516b27afdfdf6ad8f33f6ec9f2

Download Submit
memory/1928-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-16-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/1928-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2336-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-33-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/3024-32-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing