neconyd | 473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65

General

Target

473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exe
Size

248KB
MD5

564dc0e6790a358cb44dd72d9fc9951c
SHA1

7ca1fb2b38b367cff092410a247b399525db81c0
SHA256

473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65
SHA512

58454893d43e47222e5a4cd950da705fdd70ef67ed3d3552de6b3b899d6361ab7e78728e0ff821faa876d65acac63d00ded6b1032693332e792118d0fdb0ca09
SSDEEP

1536:H4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:HIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4120 omsecor.exe
4864 omsecor.exe
912 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
4120	omsecor.exe
4864	omsecor.exe
912	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3832-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/4120-4-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3832-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4120-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/4864-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4120-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/912-18-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4864-17-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/912-20-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exeomsecor.exeomsecor.exeomsecor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3832 wrote to memory of 4120	3832	473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exe	omsecor.exe
PID 3832 wrote to memory of 4120	3832	473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exe	omsecor.exe
PID 3832 wrote to memory of 4120	3832	473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exe	omsecor.exe
PID 4120 wrote to memory of 4864	4120	omsecor.exe	omsecor.exe
PID 4120 wrote to memory of 4864	4120	omsecor.exe	omsecor.exe
PID 4120 wrote to memory of 4864	4120	omsecor.exe	omsecor.exe
PID 4864 wrote to memory of 912	4864	omsecor.exe	omsecor.exe
PID 4864 wrote to memory of 912	4864	omsecor.exe	omsecor.exe
PID 4864 wrote to memory of 912	4864	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exe
"C:\Users\Admin\AppData\Local\Temp\473a32f996d6419bcfcd658482e8b8ed3473bed66450eb26c091a8b4eafccc65.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
96284bf59bc429f46aab9e9a0a39c375

SHA1
a39a38e79777b4e5a8a2dc8a65c74ff506109992

SHA256
a3981b7cdf6bca1a1d34a517a920d76bc8aacc36cf0646a54161f148a47cb9b2

SHA512
f0ad8b21bba25237791eb54aac9a035ced2ffe0c98ad2427ca852a2275c81155a5d0aefa0fbda2907f56727db6377827928354ae07eeb74b7fe956f97af0f422

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
2a8b9e38face617c9d9067f35f1bf589

SHA1
f24f29a9b57bec70f121dbe3d3bae2b8bc8e477c

SHA256
b9024eba3817c68f636e9f3779e2d4ed92768ed3ffda3bfb498f0251711161bc

SHA512
864f5ec3847d0396b14de468550c49b10ea49ed3c85ead96d7d23ebc20cd749373901bb00e218145e1381bdb5c55bce8ffa2c6eff0dcea1a102540c804a2f4a0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
df2a3d514e8f892f085eb868459796fd

SHA1
44d0bf716a94df4c193d0f1d675c516f38f8c603

SHA256
77051d51c08cf43651d45ea651ca1ce6a64fb2207fb5485f6b0a1a9542daafa1

SHA512
168a94752dced8d449d2457ef380ed81bdd9adee55eb7b8e63800d06f7f735b4af58bc14dfac8f15fd5ffe140700a66fa1078ca0bb18003562b405ff26de7fd1

Download Submit
memory/912-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads