neconyd | 5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1

General

Target

5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe
Size

248KB
MD5

95e357eca6a4db7b1fb3eefc1909d023
SHA1

2c7a499102a75c0c465e4ac7de8620e0d734490c
SHA256

5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1
SHA512

0e12f75f5990d849fb3d72763dd5ebfc5c67e3b268c3b5ec77dc5ff7826ed28db8abfa563280eecb2af54cb1468d38450a54dadcb30f378c7fe3284f9c53c0c0
SSDEEP

1536:14d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:1IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1700	omsecor.exe
1156	omsecor.exe
684	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2076	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe
2076	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe
1700	omsecor.exe
1700	omsecor.exe
1156	omsecor.exe
1156	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-1-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000c00000001226d-2.dat	upx
behavioral1/memory/1700-10-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2076-8-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1700-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-16.dat	upx
behavioral1/memory/1700-17-0x0000000001F70000-0x0000000001FAE000-memory.dmp	upx
behavioral1/memory/1700-23-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1156-33-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/684-35-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000c00000001226d-34.dat	upx
behavioral1/memory/684-37-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1700	2076	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe	30
PID 2076 wrote to memory of 1700	2076	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe	30
PID 2076 wrote to memory of 1700	2076	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe	30
PID 2076 wrote to memory of 1700	2076	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe	30
PID 1700 wrote to memory of 1156	1700	omsecor.exe	33
PID 1700 wrote to memory of 1156	1700	omsecor.exe	33
PID 1700 wrote to memory of 1156	1700	omsecor.exe	33
PID 1700 wrote to memory of 1156	1700	omsecor.exe	33
PID 1156 wrote to memory of 684	1156	omsecor.exe	34
PID 1156 wrote to memory of 684	1156	omsecor.exe	34
PID 1156 wrote to memory of 684	1156	omsecor.exe	34
PID 1156 wrote to memory of 684	1156	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe
"C:\Users\Admin\AppData\Local\Temp\5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
7666f6399cde16b327ed2bcbaa14e531

SHA1
a2851d1a751b1eea64aea17ad58e09a7f1302942

SHA256
76a2a10b0a43bf3b69960f85b1a546051f7cd359f5dfc4b7a78f33dfe8aaac70

SHA512
db66db9ba5064698101a14885802d535e15547fb24179d34343407a19a7df4b442d0b746c9b81ad5769ab341fae708b6bf0137f33dcbeba9b5b4222508d06bf9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
2e38a4c09a813036dbbafcf261cbc230

SHA1
cb4f5758eeba01f7d414cca3da6618e4b589eadd

SHA256
dac6ff95132c3a6fb7c4745ac3e9b42e35f5db53af5e7f5176758c8d99004f79

SHA512
0168d1f47ec437e33e972134a7c3ae43e0c4a0f294bbcf16550561b5c0578d21bd6b4f9208e8b468250aed5f38581a765b22bf7c60c9ec61f5df5789d7d594c1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
4f4a2e7aa8a1565b0e8cde43f1469acb

SHA1
fe979b9b77b60af3bcb90c37b9c5aeaf5a616d91

SHA256
83db1511f59e6e240a1ca8d71f30edbe6d0b3d85a2a27a3869358292b30c4ae4

SHA512
fc08509e1f10871d4800627b6b8d71b602706bddd6fe660a93c97b6ac0fb898f30f703cc512d6c5d2c1bcdcae619b91ee1df076036e251f72754e16ef4d3a248

Download Submit
memory/684-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/684-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1156-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-17-0x0000000001F70000-0x0000000001FAE000-memory.dmp

Filesize
248KB

Download
memory/1700-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing