neconyd | 5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020

General

Target

5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
Size

248KB
MD5

0a06e1be816ad0829750b2f214ac660a
SHA1

445ebc855644ad2d53647a7a3d46d54108d7238a
SHA256

5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020
SHA512

a3e540d17981efefb7ff2d9d4f96d9ec3b384636b478fe36aaad8cea63c413ff88cfecc5f85a102a0288df563c233b0dba46dfdec2d5d260a6165fdf85a0bc1e
SSDEEP

1536:H4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzUb:HIdseIO+EZEyFjEOFqTiQmGnOHjzUb

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2108	omsecor.exe
2948	omsecor.exe
1452	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1836	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
1836	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
2108	omsecor.exe
2108	omsecor.exe
2948	omsecor.exe
2948	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1836-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1836-4-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/files/0x0007000000012119-2.dat	upx
behavioral1/memory/1836-9-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2108-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0008000000015d59-16.dat	upx
behavioral1/memory/2108-18-0x0000000000320000-0x000000000035E000-memory.dmp	upx
behavioral1/memory/2108-23-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0007000000012119-36.dat	upx
behavioral1/memory/2948-34-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2948-29-0x0000000000220000-0x000000000025E000-memory.dmp	upx
behavioral1/memory/1452-37-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2108	1836	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe	30
PID 1836 wrote to memory of 2108	1836	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe	30
PID 1836 wrote to memory of 2108	1836	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe	30
PID 1836 wrote to memory of 2108	1836	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe	30
PID 2108 wrote to memory of 2948	2108	omsecor.exe	33
PID 2108 wrote to memory of 2948	2108	omsecor.exe	33
PID 2108 wrote to memory of 2948	2108	omsecor.exe	33
PID 2108 wrote to memory of 2948	2108	omsecor.exe	33
PID 2948 wrote to memory of 1452	2948	omsecor.exe	34
PID 2948 wrote to memory of 1452	2948	omsecor.exe	34
PID 2948 wrote to memory of 1452	2948	omsecor.exe	34
PID 2948 wrote to memory of 1452	2948	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
"C:\Users\Admin\AppData\Local\Temp\5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
61e43159966fc65a50bec89227d76156

SHA1
d67b422d1574b9d2a32ba90631c18ef52b21a273

SHA256
5c12f8886456decb67c6177beb4fe9d093e3fb9d3245a23267805e42f2084415

SHA512
f04e64f496c3a3e316851ad3e973346ad99361e4026c57c8730e8b5886f40f14663ea7d2ae6c70a956e3beccdfcf7f85d35c9c3aec19ebcefaa43641d6d60cfc

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
d7b9a08afe9a00050a6b57bf6a4ea12a

SHA1
a0d7b8428a338bfe2f71f97305ca9773f49bf8f3

SHA256
38755d7cfe98639849552da995dfedc64ecd04e90de403ad585571a589539478

SHA512
6e9c060e3918c4e1018252a3dca1433398603ea94f4e04aa3cd6bc6ed029d1e013194122ac73f897b9750619b4b29455b2c6678a7d7c7f54c5773b0a457da105

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
93fde83bd9da5b791f227c57e824cb40

SHA1
d7b1844d919505970378d20da190b5a524513763

SHA256
fba37514fc9bfc40672ecd968cbdafdabb07462388608b67809e3263c8d37be5

SHA512
7a7f591e900fa585df945b35dcd8384c1ea88711ca1e122f448bc17109d03a4c6b2a01851e2661a093c86e1a8a152825a2cfdf8fe50ddbe8ec45db6c62ce3c91

Download Submit
memory/1452-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1836-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1836-4-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1836-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-18-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2108-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-29-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing