Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 11:23

General

  • Target

    5dc708aa69cee869ebaf67ff489d1780N.exe

  • Size

    248KB

  • MD5

    5dc708aa69cee869ebaf67ff489d1780

  • SHA1

    e4804f8293be1d18b2943664aa01c70235fb2e06

  • SHA256

    8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370

  • SHA512

    d9e4cbbc51812dcb695d450930b76f727f4c45cb0d80b1563ad48c5beb40586c4f1f608d2b561f598b777106cf1e472b3826d1a6750faf1dd3f3908321dd00dd

  • SSDEEP

    1536:k4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:kIdseIO+EZEyFjEOFqTiQmGnOHjzU

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe
    "C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    248KB

    MD5

    436104d9535959b9021a335467edb7f9

    SHA1

    173271133a660de9a9a87801a45dce29bffbf8f1

    SHA256

    56110cd1f933ef8c3b468fbd05fcfa783ae596e815ebe84a4c717dc0c783d9e0

    SHA512

    c04b3f43a88645153d667815a73a5a764ece6256621dec109a277d8ca83bcadecd2d0633d54f3f5e6b930d061f830f2abcc7efe0d12bd11f3b9b50ea68ee3af5

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    248KB

    MD5

    69831108eb6b444b612974498367891a

    SHA1

    241538951c7d8a3f395beb07cf3592e3166fffad

    SHA256

    a717da0318c9f9f61435ddde394ac56149a601755a5b3bc8a2711a8439ab25f7

    SHA512

    d702ff06b6ff4254fae92a0ef31b49684368ea56f30b7f1c4e6a0cf5310f21340a653f11d574ca1aef50d7220c50c0eaba49663bb49101706e8b4b61ce9c9edc

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    248KB

    MD5

    2a1d1ee3e3f523894efe4982d53ed7fb

    SHA1

    47799d4f982364014462a3c3a34338d7dc82b9f6

    SHA256

    5e24ab16d27327333dc00d10e0c16314053768a199478d5ae8b4817c5094e1fa

    SHA512

    6d49f8ab77d28fc360439687e900929b8d198c44c180954bd62d0a95c8a3e6d375ddda88a40e747d2d179269283cc0652859c3116c866682d52854f305cd574f

  • memory/1768-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/1768-5-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2044-17-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2044-20-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2232-11-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2232-18-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2416-4-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2416-7-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2416-13-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB