neconyd | 91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91

General

Target

91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91.exe
Size

248KB
MD5

3e1818397961440efac98af4cf7752a5
SHA1

b0069a8bcc564240d26eab05eff95afb5a101bf9
SHA256

91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91
SHA512

e7767ba16c93f2e77d69db25b19d2ca2f27dbb11069d106939e0d9cf7b3118ae895ce087c882d7e5be1c5cc2fb12ad199739034408d1c4bd15d642f64b663023
SSDEEP

1536:a4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzUr:aIdseIO+EZEyFjEOFqTiQmGnOHjzUr

Score

10^/10

neconyd discovery trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3068	omsecor.exe
1188	omsecor.exe
548	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/540-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x0008000000023c94-2.dat	upx
behavioral2/memory/3068-4-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/540-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3068-7-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x000800000001e786-10.dat	upx
behavioral2/memory/1188-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/3068-12-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/1188-16-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/files/0x0008000000023c94-17.dat	upx
behavioral2/memory/548-18-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral2/memory/548-20-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 3068	540	91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91.exe	83
PID 540 wrote to memory of 3068	540	91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91.exe	83
PID 540 wrote to memory of 3068	540	91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91.exe	83
PID 3068 wrote to memory of 1188	3068	omsecor.exe	102
PID 3068 wrote to memory of 1188	3068	omsecor.exe	102
PID 3068 wrote to memory of 1188	3068	omsecor.exe	102
PID 1188 wrote to memory of 548	1188	omsecor.exe	103
PID 1188 wrote to memory of 548	1188	omsecor.exe	103
PID 1188 wrote to memory of 548	1188	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91.exe
"C:\Users\Admin\AppData\Local\Temp\91697091bd716dfbc65721f0bc80216b71f56099baeb73ce68957156d5f99c91.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
b39d520c47e280ac0e3956fcc6b4148d

SHA1
596e1f5d8953261a9ed6820ed7381d46369ba486

SHA256
452d75fc7e740d9e06ef250c8cbcf6a7205bc550374bd6f5e5591b880fdcbd3e

SHA512
a92e451c9d837eb6f233f9a0c3859e7bf3a35b8def75755adb45603d0e054b7c07086868dbcad070794236837341b37ed00bfd0a8eb6f0b12f7882673fd38c9b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
248KB

MD5
5f903b457bbb181939be41196d947c21

SHA1
6e8a7378eebcd705aecb2354e27c3a14bfc93302

SHA256
3bf7ddb7e92e0122c9af323b1f44edf776dc9ca3e4d9549d63e28f764da20b21

SHA512
202f3325bd3524be89c14c5dadbf0fb9ef1b058c2708fb38382627f7bf327b012157fad0bf57a8ecb3d43726d7cdde0262daf93f53aa82f3aff9ae9f470aaea1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
248KB

MD5
50c9f928f928d607649ed132e7c480ae

SHA1
7490591332fb942057321d14d25246baf1652838

SHA256
f9f0f7480ee153ad8eb0f6d400e08011c1e7e632e2a2404bdf97f4cc8af6700b

SHA512
61b03adc7dc12355e6e7c0d3d1bc55caee6b9b11bc391dd593690c33e244e14dd23fb67a68d04264560f7ff67f36e5b82e1bec82a31131e054866f296f8d76a8

Download Submit
memory/540-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1188-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1188-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing