neconyd | 72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233

General

Target

72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
Size

248KB
MD5

cb9a9db3e21843a9a051a52d2b53a290
SHA1

09eb7fb0f9991cd659bd3bb4d30593c16cc5aa2a
SHA256

72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233
SHA512

b965d755ec7fa481b707fca08a56e4664a51434b7fdead42e6e465a03191bd59d5cae9005b2698bfbef4ed659d57f046f6c4fc07b79c5ca5d969b4d60e39f427
SSDEEP

1536:N4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:NIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
5012	omsecor.exe
3524	omsecor.exe
4180	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4028-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x0009000000023c7c-4.dat	upx
behavioral2/memory/5012-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4028-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/5012-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x0011000000023b34-10.dat	upx
behavioral2/memory/3524-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/5012-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3524-16-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x0009000000023c7c-17.dat	upx
behavioral2/memory/4180-18-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4180-20-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 5012	4028	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe	84
PID 4028 wrote to memory of 5012	4028	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe	84
PID 4028 wrote to memory of 5012	4028	72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe	84
PID 5012 wrote to memory of 3524	5012	omsecor.exe	100
PID 5012 wrote to memory of 3524	5012	omsecor.exe	100
PID 5012 wrote to memory of 3524	5012	omsecor.exe	100
PID 3524 wrote to memory of 4180	3524	omsecor.exe	101
PID 3524 wrote to memory of 4180	3524	omsecor.exe	101
PID 3524 wrote to memory of 4180	3524	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe
"C:\Users\Admin\AppData\Local\Temp\72c041ea18a93dfe31baba219ce992e8dfd600dd04984c78bdf0e99341ba2233N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
83b7793f3e59ad032df6761b650c7acc

SHA1
6c4c707f8088e7a5c288fc0f657f1c1ca0b4a6e2

SHA256
44505c5f3a38a59907c3e258819f76dda475a6bb1c79a8d9497479cadd016c3e

SHA512
135beb0872d215ca42293f7b65a03da5772a5cf87af1a8165dd3b9130491ef884255f2d35f32ee768d62843ae03758ec0349268289cbc1aa038e0e299f826c44

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
3077688e9f0e52130136acce595b635d

SHA1
e7ed932981f5b02422eb67796d4d8b445fd5476f

SHA256
215f905c81b9b0e195489955b0e0f32c0af1557ad346f8b632a29c74c84fd7ac

SHA512
2bea727ef0ca55bac277d16c65ed41d20a71d920aba8e085c0abc6d4e791a0372eda330a08a64c5d8f74cc090466a943f4ff236fcdbb3194986872a59c6a4b56

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
9bb8ba9fbc4759f542e8fc8a52bee45f

SHA1
95543e87afaa8a33ae0e580bbea9fe5f7cfab896

SHA256
d58ca27a74e2bd4ea8404823c9adf18551b5afed0119221e5b294486b8f66711

SHA512
80b1292afd5bc12a728c39a3f1450aafc5a5b2bf5d08d45c5019afec2c35d3911496c6be94cc65c1b1667fa136515449aec575cb7cd690c4c11e5269d8381ff7

Download Submit
memory/3524-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing