Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 09:09

General

  • Target

    759b81d87e3790c1e1a5eb0e8ca191c0N.exe

  • Size

    71KB

  • MD5

    759b81d87e3790c1e1a5eb0e8ca191c0

  • SHA1

    187790f1e2c75ef8fad872b78e60337e01a5ec93

  • SHA256

    d53e63679f7902887c20b9587c6ac16fbce6f22b4b3d918027644217908fdabe

  • SHA512

    102e5e6822b9da768f6e9b2a4b7de2cb2eb956bb4c92fd4372147dab7f705f0ae90ee2ec3baafef80f43d79d7a8d51427632bbc5984bd0331bf5acbc506a4cff

  • SSDEEP

    1536:ed9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:GdseIOMEZEyFjEOFqTiQmQDHIbH

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    71KB

    MD5

    b2eff1323a1ffb0533429e2da8a9642d

    SHA1

    9aa55585d58ce023f3e47922f82f8febd775de29

    SHA256

    b964fcd6f67c044c652090cf821b8f1fd1cc7956d38f5feccaf62e773d61b68d

    SHA512

    d5ede1b0aaef977c79e16ec5e7401a241e53471d7ce8d4efb0c6453560e7dadbb766da36d4d546b7657b282804374da9052c869756e94dd01e1f765b6a5b50b7

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    71KB

    MD5

    78daca9d26d576398a39d113ec1b58a2

    SHA1

    4c77d30b7037eb3da513f96c549e9c8aff5d7705

    SHA256

    cbbff1931e290c5d1f1b731de2a396a7a5c842279d6c59a13fe2f203e1413999

    SHA512

    8fa3c27137ae57e70b203618c303329d0b71edbfce3263dc9844bd29e79c1b0e691d484fe5b4c5a2ff527f055020a407db9e1b9fc7e73d91e8a263a4f1e180ec

  • memory/2468-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2468-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2468-9-0x00000000001B0000-0x00000000001DB000-memory.dmp

    Filesize

    172KB

  • memory/2468-4-0x00000000001B0000-0x00000000001DB000-memory.dmp

    Filesize

    172KB

  • memory/2872-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2872-19-0x00000000002A0000-0x00000000002CB000-memory.dmp

    Filesize

    172KB

  • memory/2872-25-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2872-24-0x00000000002A0000-0x00000000002CB000-memory.dmp

    Filesize

    172KB

  • memory/2972-28-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB