neconyd | 80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89ed

General

Target

80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe
Size

248KB
MD5

46646200127933eb608f6b5e323ab540
SHA1

553b2377ba405e07894359cfd2a730ef3195b17d
SHA256

80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89ed
SHA512

43941d3eff3d38c0b02b0cd453b4a95b7ae6311776935d64b65b4cb1e7cd2b6ca10a49a164a1944ccedf5f8593a10100dd571392a1f9fc5777180838743b6de1
SSDEEP

1536:I4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:IIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2600	omsecor.exe
1280	omsecor.exe
996	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1980	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe
1980	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe
2600	omsecor.exe
2600	omsecor.exe
1280	omsecor.exe
1280	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1980-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000d000000012281-11.dat	upx
behavioral1/memory/1980-10-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1980-8-0x00000000002D0000-0x000000000030E000-memory.dmp	upx
behavioral1/memory/2600-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-17.dat	upx
behavioral1/memory/2600-18-0x0000000000290000-0x00000000002CE000-memory.dmp	upx
behavioral1/files/0x000d000000012281-29.dat	upx
behavioral1/memory/1280-28-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2600-24-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/996-37-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/996-39-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2600	1980	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe	30
PID 1980 wrote to memory of 2600	1980	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe	30
PID 1980 wrote to memory of 2600	1980	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe	30
PID 1980 wrote to memory of 2600	1980	80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe	30
PID 2600 wrote to memory of 1280	2600	omsecor.exe	33
PID 2600 wrote to memory of 1280	2600	omsecor.exe	33
PID 2600 wrote to memory of 1280	2600	omsecor.exe	33
PID 2600 wrote to memory of 1280	2600	omsecor.exe	33
PID 1280 wrote to memory of 996	1280	omsecor.exe	34
PID 1280 wrote to memory of 996	1280	omsecor.exe	34
PID 1280 wrote to memory of 996	1280	omsecor.exe	34
PID 1280 wrote to memory of 996	1280	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe
"C:\Users\Admin\AppData\Local\Temp\80f7f3224e9c3a4067468988ce2d9e34ed87415a77ea8d6e63b15c281e3d89edN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
eba9f19f544fd55833dc5aeba50492be

SHA1
a35a25e0d5654d6509fb60fcc70f86228c93a036

SHA256
648ca124e69c2dce63cdb465defe7b945564b36ee819b1faecb861a4231b8290

SHA512
591416f6c48d02bf9b2593a9a90f251589b98f7b5ad7b39f08f92f7e3e468abbc0cbd18b35004ffc17745e299082ea5ebb598e898bc985b2fd40770f0ecaca2d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
99a78902b52dec57f6d626313ccc5ec5

SHA1
0410cc4e6b79fe1126770371ac6ba9275d777f5e

SHA256
9e974d47f9652bca00c8ef36f6d474c53d0151bfa9fe319b30c1a811218b170a

SHA512
593c24284059e806e27f67a4508dfc72588749f012ffbf96b4fd36c34e97bac8f7cdc37cbc46a82d2269960f2af307beed57547a115b34c4679ef18a978296eb

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
5c426a824a8cb304ac2c8f0bdd9138cb

SHA1
b3bd3c7513b6dc0e7299fb846285d6032c428180

SHA256
4cfa94d84e85e411892cbdca904471fc5fdd53442c0725811d422afbec123f3b

SHA512
80f5daf7bbda6ddb243616ea4ebabaca19c2e77325b7259143afe8e40384b8f2fbb235c44239a5614a12a355c12b48d1ce2066554b2fbec9409df39184e79904

Download Submit
memory/996-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/996-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-31-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/1280-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-9-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1980-8-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1980-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-18-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2600-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing