Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 11:23

General

  • Target

    5dc708aa69cee869ebaf67ff489d1780N.exe

  • Size

    248KB

  • MD5

    5dc708aa69cee869ebaf67ff489d1780

  • SHA1

    e4804f8293be1d18b2943664aa01c70235fb2e06

  • SHA256

    8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370

  • SHA512

    d9e4cbbc51812dcb695d450930b76f727f4c45cb0d80b1563ad48c5beb40586c4f1f608d2b561f598b777106cf1e472b3826d1a6750faf1dd3f3908321dd00dd

  • SSDEEP

    1536:k4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:kIdseIO+EZEyFjEOFqTiQmGnOHjzU

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe
    "C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    248KB

    MD5

    69831108eb6b444b612974498367891a

    SHA1

    241538951c7d8a3f395beb07cf3592e3166fffad

    SHA256

    a717da0318c9f9f61435ddde394ac56149a601755a5b3bc8a2711a8439ab25f7

    SHA512

    d702ff06b6ff4254fae92a0ef31b49684368ea56f30b7f1c4e6a0cf5310f21340a653f11d574ca1aef50d7220c50c0eaba49663bb49101706e8b4b61ce9c9edc

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    248KB

    MD5

    9884a1654900cbe5238d434659da9409

    SHA1

    d8059bfdcef1f1d9adb2bb1cdf8a51127a1caa3d

    SHA256

    69d97defdfa517351a3dafcf3c10698cee6651bd0c60b2db332b2c0cb27a2e11

    SHA512

    37e0e95822790e01edda30410555f6767acccf27892601338d3402fb28f83103287f09a7d546d688788cef6ef45ccadd2863566ddae5608bcd21d34139b821ba

  • memory/2164-1-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2224-25-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2432-9-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2432-11-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2432-16-0x0000000000380000-0x00000000003BE000-memory.dmp

    Filesize

    248KB

  • memory/2432-23-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB