Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 09:18

General

  • Target

    d37325fa6d16e231fe954451da014930N.exe

  • Size

    80KB

  • MD5

    d37325fa6d16e231fe954451da014930

  • SHA1

    59f2ca54376d026804105d04664edfa9ce5320e4

  • SHA256

    dabab0c6eb8f980f737cec377f243b17c7bc0ab4d8e85f7522a248d9de86bd71

  • SHA512

    de5c7acd5d633ec2c920617f557ebd1e1ad1f17ca4338befebb2a568c1d837432f3c8144624b172b564e81100d7c392781818f40e400c9401333f90d1a44212c

  • SSDEEP

    768:JfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:JfbIvYvZEyFKF6N4yS+AQmZTl/5

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d37325fa6d16e231fe954451da014930N.exe
    "C:\Users\Admin\AppData\Local\Temp\d37325fa6d16e231fe954451da014930N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    4dbedc1630af2f1e48cc2b0395f6e134

    SHA1

    a4656c4bac188dd6f2f73a08c401e78093481aa6

    SHA256

    9899e7762646c4ca83f49c4f962b4b32602ab678ecd43b1e18e8e1472664eb0a

    SHA512

    a9f7852e8556330f4552e1b8bea4b15b6bb90d0e09578c754bfa24631cfaf3be851e2c5abd5644e32e136d525ec6adce0b2379c05e4a0843361b8000b842d813

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    1e6f8d8858edb98fe550eca414b5edc6

    SHA1

    5028cceb6098d77590ba9f5c159799cf41bc154a

    SHA256

    096250bd2c0b57b42720425d766e3a7630f37771001fb5e16553a8812ea5a229

    SHA512

    5205723b13deba96a782c68d27732b6d19e283dd5d1fa099e7d7b71ee4f1abe99a9135bcbfebdece63f61ee0bc65da518c403a01ac22f99740a8268f498a76ea

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    2cbf7d33ae6537c3037a6d571b0c6335

    SHA1

    196131908da670bb498245458eb1b337463b4786

    SHA256

    6475598339bf2e02779607c56e09ff3f234087fdfb3345861bdc76879f0dd941

    SHA512

    00db487de4d7022722ae6af72d92c1b2a20825177b0b5ded32469bb4879a26459fe2e87547bc664234a43805a7f51f9d633f9109bed8badb56aef6776154f49f