neconyd | 5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020

General

Target

5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
Size

248KB
MD5

0a06e1be816ad0829750b2f214ac660a
SHA1

445ebc855644ad2d53647a7a3d46d54108d7238a
SHA256

5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020
SHA512

a3e540d17981efefb7ff2d9d4f96d9ec3b384636b478fe36aaad8cea63c413ff88cfecc5f85a102a0288df563c233b0dba46dfdec2d5d260a6165fdf85a0bc1e
SSDEEP

1536:H4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzUb:HIdseIO+EZEyFjEOFqTiQmGnOHjzUb

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1756	omsecor.exe
1228	omsecor.exe
532	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2580	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
2580	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
1756	omsecor.exe
1756	omsecor.exe
1228	omsecor.exe
1228	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2580-1-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1756-9-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0008000000012102-8.dat	upx
behavioral1/memory/1756-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-15.dat	upx
behavioral1/memory/1756-16-0x0000000001F80000-0x0000000001FBE000-memory.dmp	upx
behavioral1/files/0x0008000000012102-27.dat	upx
behavioral1/memory/532-36-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1228-35-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1228-25-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1756-22-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/532-38-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1756	2580	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe	30
PID 2580 wrote to memory of 1756	2580	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe	30
PID 2580 wrote to memory of 1756	2580	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe	30
PID 2580 wrote to memory of 1756	2580	5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe	30
PID 1756 wrote to memory of 1228	1756	omsecor.exe	33
PID 1756 wrote to memory of 1228	1756	omsecor.exe	33
PID 1756 wrote to memory of 1228	1756	omsecor.exe	33
PID 1756 wrote to memory of 1228	1756	omsecor.exe	33
PID 1228 wrote to memory of 532	1228	omsecor.exe	34
PID 1228 wrote to memory of 532	1228	omsecor.exe	34
PID 1228 wrote to memory of 532	1228	omsecor.exe	34
PID 1228 wrote to memory of 532	1228	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe
"C:\Users\Admin\AppData\Local\Temp\5a65235160605cdca49f3f33060b2a9b16d4f28ea7e60c3f4e98210c09f3b020.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
d7b9a08afe9a00050a6b57bf6a4ea12a

SHA1
a0d7b8428a338bfe2f71f97305ca9773f49bf8f3

SHA256
38755d7cfe98639849552da995dfedc64ecd04e90de403ad585571a589539478

SHA512
6e9c060e3918c4e1018252a3dca1433398603ea94f4e04aa3cd6bc6ed029d1e013194122ac73f897b9750619b4b29455b2c6678a7d7c7f54c5773b0a457da105

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
2e036a20281d9c107f20aa3f58acfbd3

SHA1
42b8b826da7c6b5c1f9dc3b772728e8e6586e2cd

SHA256
10d99d84799e7bb8fb1a64176bfd55214edcaf13d5f3890a2edba1f96cde3442

SHA512
fbacf18287c5aad139e360ccfdb2552df99707f0de6f285245bd55b4a9e35735e8037c05d0d26c47b1df504d38da22950fc2239d8f43c88b9387921844395f4e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
54d6f527d93dc75c24a7511b8a35701c

SHA1
f2c488c26f058e654186f47b715ea891cc1d3e55

SHA256
a046020e093910b2984c2d0a6d936cf48d33c8194122804bb3fd5e8b7fb004df

SHA512
da417a9f2464bb4eae986366d05b9b614930dcea757ebd6837a33e8561fc32c5ac0db416421a9e6b4f1206789ed0cd659c9c0c9e2d53e2ae27c8758c1f8daa12

Download Submit
memory/532-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-29-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/1228-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-16-0x0000000001F80000-0x0000000001FBE000-memory.dmp

Filesize
248KB

Download
memory/1756-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing