neconyd | d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853

General

Target

d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe
Size

248KB
MD5

a4393f6abb22d3f18d73d97ea9b0ed10
SHA1

d6caf56ed89aad9ae9e935aa40bc8190054653f0
SHA256

d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853
SHA512

3da3172de533ca7ad1fc812472647d163edf33ab8a6ee35d23903b884f143b4bffa3ec4da47db01863f6b8f1c90226b9ddbaca3a2351e3bea84155d9a8255521
SSDEEP

1536:H4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:HIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2172	omsecor.exe
800	omsecor.exe
1836	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2380	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe
2380	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe
2172	omsecor.exe
2172	omsecor.exe
800	omsecor.exe
800	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-4-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/files/0x0033000000011c23-2.dat	upx
behavioral1/memory/2380-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2380-9-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2172-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0009000000015e47-16.dat	upx
behavioral1/memory/800-25-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2172-23-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0033000000011c23-37.dat	upx
behavioral1/memory/800-35-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/800-30-0x0000000000440000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1836-38-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2172	2380	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe	30
PID 2380 wrote to memory of 2172	2380	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe	30
PID 2380 wrote to memory of 2172	2380	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe	30
PID 2380 wrote to memory of 2172	2380	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe	30
PID 2172 wrote to memory of 800	2172	omsecor.exe	33
PID 2172 wrote to memory of 800	2172	omsecor.exe	33
PID 2172 wrote to memory of 800	2172	omsecor.exe	33
PID 2172 wrote to memory of 800	2172	omsecor.exe	33
PID 800 wrote to memory of 1836	800	omsecor.exe	34
PID 800 wrote to memory of 1836	800	omsecor.exe	34
PID 800 wrote to memory of 1836	800	omsecor.exe	34
PID 800 wrote to memory of 1836	800	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe
"C:\Users\Admin\AppData\Local\Temp\d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
bd73356c735773d7161f2bbc4d36d665

SHA1
0e3813612b733df9844da6d88ee108b486c1f1c8

SHA256
c28c3bf50e3997296b06545d55045654244845ddaca978e1325984ee23eede65

SHA512
0c4fc3f618c0c7b27b5270f2d0174adfe803e9883003e82c43adecf8aede5978bdaa4e483c38ee3db911e62e39017b9dcb385465377f8201bb57026600f5f76b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
863153cf6ed08d593b1011c4299f742a

SHA1
cb9951d851d61c07d2e5b73083dc9ab6a38ae829

SHA256
bde2ea54b6f2942c997241be518004bdc9bddd0b770677cc6bb11570a5712478

SHA512
a701d7a9fa50cdd4b8a6d37dba0e7ffbeb446ca3eedd66dd1f0d78f4ed974dd111d6dc3af31dccaeab75084b7e7dc8648ccf44ed2bdba742288fc708edb0a556

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
38cccf8242054af4bf2669628ec6c191

SHA1
a2e0da74bf155b23292b5f725a07a324486b38fb

SHA256
b42a9b3616d462b989a32f8918fb70d8d6f93d77cc303dffb35ed6523b5db022

SHA512
0638e5ecc89954b350fdaeb66131b8b5d1ca5fa637c3d1415e8d06084f9b7b4357c68556171d0a09f4a9eb689fb074d1e472ba6396fcdd0c7d10f0d8f3ef83f0

Download Submit
memory/800-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/800-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/800-30-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1836-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-22-0x0000000002350000-0x000000000238E000-memory.dmp

Filesize
248KB

Download
memory/2380-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-4-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2380-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing