neconyd | 6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247

General

Target

6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe
Size

248KB
MD5

4d479461bba10b78c07c0fec522ae102
SHA1

7470a2ec74ecf234e8c7ebf54a870be50ec41835
SHA256

6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247
SHA512

1aab644ef397e43a99db9a987f24e19f6205bade174754b6901b73980224080b42d7c771562bc80053625074d00ef04b574fc9f21f6821c886262f3c7d76fe6b
SSDEEP

1536:s4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:sIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1684	omsecor.exe
2912	omsecor.exe
2928	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2544	6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe
2544	6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe
1684	omsecor.exe
1684	omsecor.exe
2912	omsecor.exe
2912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2544-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000e000000013ab3-2.dat	upx
behavioral1/memory/2544-8-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1684-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1684-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-16.dat	upx
behavioral1/memory/2912-26-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1684-24-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x000e000000013ab3-29.dat	upx
behavioral1/memory/2912-30-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/memory/2912-36-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2928-39-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1684	2544	6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe	31
PID 2544 wrote to memory of 1684	2544	6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe	31
PID 2544 wrote to memory of 1684	2544	6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe	31
PID 2544 wrote to memory of 1684	2544	6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe	31
PID 1684 wrote to memory of 2912	1684	omsecor.exe	34
PID 1684 wrote to memory of 2912	1684	omsecor.exe	34
PID 1684 wrote to memory of 2912	1684	omsecor.exe	34
PID 1684 wrote to memory of 2912	1684	omsecor.exe	34
PID 2912 wrote to memory of 2928	2912	omsecor.exe	35
PID 2912 wrote to memory of 2928	2912	omsecor.exe	35
PID 2912 wrote to memory of 2928	2912	omsecor.exe	35
PID 2912 wrote to memory of 2928	2912	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe
"C:\Users\Admin\AppData\Local\Temp\6cfe1a02ba68b7dd358f8c5d9ad441f2d11632a52c2041f7030860384ac3e247.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
189f665be007e72e19e0438ce314c542

SHA1
0f48523dbd1b0c76ac1139a9648225ba0d7087e3

SHA256
a999a43978569cec2da6a92cb402db18fe48dd3f9ba0c4fd744f91d80ef43ff8

SHA512
7171499c7a8f0c076bc474ffd4a802e949c6e4c5625d288f6f0d4f2afd9652d096227d47124a3e026249ed8801d9943455a8565c8d824276be050fb973d8812a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
bc63b5bb85d06fd78c0850c74f104055

SHA1
21775575d27ee9cc55c1a4444552007d7e8b81ac

SHA256
50e212c80aad8b0326d4be1f7318ee22e7a6a64d448ffd7866d5dde0c4d7dccb

SHA512
4298fe2b07786cbdc865a7a124c2386ba4b2b4e87a18dd7e2bd02a7e0fc500d75f6675422f40669750bccca959d86037421cca45e174eda8added4fa84f1f553

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
34d8769699111881e3e13acce01246ef

SHA1
a776e5962f7367afb63b2555375ad9123b7877ab

SHA256
55522467c0dbd24033d71d7ca6645a2e9f7d8cf1836c85f08b8c0c2849696253

SHA512
5f0c0db53c4375db5a1ee8c78b8df96840e6b2e35f8d090123f59c1222093187ed23d548a3fc739484466a6a4de16edee2a606dd65d6120287976d618e0a23f4

Download Submit
memory/1684-22-0x0000000001FA0000-0x0000000001FDE000-memory.dmp

Filesize
248KB

Download
memory/1684-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-23-0x0000000001FA0000-0x0000000001FDE000-memory.dmp

Filesize
248KB

Download
memory/2544-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-30-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2912-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing