neconyd | d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853

General

Target

d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe
Size

248KB
MD5

a4393f6abb22d3f18d73d97ea9b0ed10
SHA1

d6caf56ed89aad9ae9e935aa40bc8190054653f0
SHA256

d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853
SHA512

3da3172de533ca7ad1fc812472647d163edf33ab8a6ee35d23903b884f143b4bffa3ec4da47db01863f6b8f1c90226b9ddbaca3a2351e3bea84155d9a8255521
SSDEEP

1536:H4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:HIdseIO+EZEyFjEOFqTiQmGnOHjzU

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3872	omsecor.exe
3176	omsecor.exe
912	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1488-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3872-4-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000b000000023bb1-3.dat	upx
behavioral2/memory/1488-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3872-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x0002000000021ea9-10.dat	upx
behavioral2/memory/3176-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000b000000023bb1-16.dat	upx
behavioral2/memory/3176-19-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/912-18-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3872-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/912-20-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3872	1488	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe	83
PID 1488 wrote to memory of 3872	1488	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe	83
PID 1488 wrote to memory of 3872	1488	d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe	83
PID 3872 wrote to memory of 3176	3872	omsecor.exe	99
PID 3872 wrote to memory of 3176	3872	omsecor.exe	99
PID 3872 wrote to memory of 3176	3872	omsecor.exe	99
PID 3176 wrote to memory of 912	3176	omsecor.exe	100
PID 3176 wrote to memory of 912	3176	omsecor.exe	100
PID 3176 wrote to memory of 912	3176	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe
"C:\Users\Admin\AppData\Local\Temp\d4daba63e23d7e2e89c7c2d0da400271133b337f605ef4df4d5b7f341591e853N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
5d0de851da76dfd255d4547ea19d1f10

SHA1
76a469a5b6345c73bffaf20f817e79b173d7b034

SHA256
5370e72895967acb63c8cc3ddd7485013198345c1f651195ddb9c6d0ace4c589

SHA512
2f64587d31c9f814214f671fc94dd7c36304d6e7f27d79e9bd8007bb31447bc4b134f2e0dd32d70e8d5faf93d77614d7c5a89bcf26c56f71e8c3902c2cb244a0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
863153cf6ed08d593b1011c4299f742a

SHA1
cb9951d851d61c07d2e5b73083dc9ab6a38ae829

SHA256
bde2ea54b6f2942c997241be518004bdc9bddd0b770677cc6bb11570a5712478

SHA512
a701d7a9fa50cdd4b8a6d37dba0e7ffbeb446ca3eedd66dd1f0d78f4ed974dd111d6dc3af31dccaeab75084b7e7dc8648ccf44ed2bdba742288fc708edb0a556

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
1644d6b0b9c487f61ba1bb0e555a5160

SHA1
ae044f0727df34c5bb5cf372a9e438e4eed25f30

SHA256
2312f1c079df652068c6a42675fbf291422cda05c5215952d275a87978d30c75

SHA512
9d92d414d6001a6ee52c78b68dca9bda2244876b769279168005b01707bd03568793be7a4fd729d6e197934aaeb6ed1a2d092a9bb1476757ea0ee91b64555188

Download Submit
memory/912-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3176-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3176-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3872-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3872-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3872-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing