neconyd | 5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1

General

Target

5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe
Size

248KB
MD5

95e357eca6a4db7b1fb3eefc1909d023
SHA1

2c7a499102a75c0c465e4ac7de8620e0d734490c
SHA256

5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1
SHA512

0e12f75f5990d849fb3d72763dd5ebfc5c67e3b268c3b5ec77dc5ff7826ed28db8abfa563280eecb2af54cb1468d38450a54dadcb30f378c7fe3284f9c53c0c0
SSDEEP

1536:14d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:1IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3100	omsecor.exe
4148	omsecor.exe
2296	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4156-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000c000000023b40-3.dat	upx
behavioral2/memory/3100-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4156-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3100-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/4148-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000c0000000218b4-10.dat	upx
behavioral2/memory/3100-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000c000000023b40-17.dat	upx
behavioral2/memory/4148-19-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/2296-18-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/2296-20-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 3100	4156	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe	82
PID 4156 wrote to memory of 3100	4156	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe	82
PID 4156 wrote to memory of 3100	4156	5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe	82
PID 3100 wrote to memory of 4148	3100	omsecor.exe	92
PID 3100 wrote to memory of 4148	3100	omsecor.exe	92
PID 3100 wrote to memory of 4148	3100	omsecor.exe	92
PID 4148 wrote to memory of 2296	4148	omsecor.exe	93
PID 4148 wrote to memory of 2296	4148	omsecor.exe	93
PID 4148 wrote to memory of 2296	4148	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe
"C:\Users\Admin\AppData\Local\Temp\5839afb099cf5ab836040cb7660e88c1d931bdfdb781949a83227ac43aee47f1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
d445e3ac1376afae05abefdfd43a49df

SHA1
113833ca8790b35c7368559c5ae0eb9dbfa8285f

SHA256
d496cd68b8e4f6b5e5c8902ed1182d8ed4bb0808f00fe3a7f45c057815735dd2

SHA512
d6d17a7020cc2f24e6e93a1e98c130b8ee3aea81ca6ae25f0cca1563958b0e5132d9f7a2fe8e34376c9abeb790748d1b5313ed0bebaeea2764f3040b8b704ccb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
2e38a4c09a813036dbbafcf261cbc230

SHA1
cb4f5758eeba01f7d414cca3da6618e4b589eadd

SHA256
dac6ff95132c3a6fb7c4745ac3e9b42e35f5db53af5e7f5176758c8d99004f79

SHA512
0168d1f47ec437e33e972134a7c3ae43e0c4a0f294bbcf16550561b5c0578d21bd6b4f9208e8b468250aed5f38581a765b22bf7c60c9ec61f5df5789d7d594c1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
9244e38cdff0f7bf5309ee51be87b8e3

SHA1
2d76337e8797652cf7f790df49cee41f146feded

SHA256
70ec933f3a2833b7c99d449f063313e705293fd5035297e30f9caea5ff90a1a9

SHA512
0f854b0b192016deb8a5da412fa3f38e062cea3bda4236f00bbb071277102c52ca60dceb6d4f8fdd194e8abfa9984d3570548624cb5b7795104643b41fcb5218

Download Submit
memory/2296-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4156-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4156-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing