Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 11:33

General

  • Target

    5ff42997329bb240d36b3877786d8970N.exe

  • Size

    76KB

  • MD5

    5ff42997329bb240d36b3877786d8970

  • SHA1

    df07d4cd63c874aa9ada4227612c0775a2e00543

  • SHA256

    bf8c000f958ecffc7527b9930deea9e84ae43ca31ad5fb8249a948654fe59786

  • SHA512

    5ba27ebe69c19482b7a651cdf068fc99dcc7c970785b1edce194c26e7b3618487639ffba4e65a999ecfd24a5ab71144385963f42d3570d44d4516504659d2639

  • SSDEEP

    768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:mbIvYvZEyFKF6N4yS+AQmZTl/5O

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe
    "C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3428
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    355eade5dafcd0eb244d38458c1ba459

    SHA1

    2c0fd1dabd23c4082dd9a7259b9eb966f30fa2be

    SHA256

    9215066b3a6a7c02b0e26ff9b560e644d8640c556a22e8ba3fac8ae6eb03399a

    SHA512

    eef7763febbf5ba66933dec987b2a2eb4412cf75e76d498a1f5f4f573514ae00fb61300a391faa5f28359f5958092c5388ff50d4a6824835df319589bf66d2dc

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    ac15f7cbb36ce4d213bf65ccd3dd81f9

    SHA1

    9059c966cd5a981203d7b6fac9ae1cf3caff1356

    SHA256

    c130fe3c09576a3aa60344ef1149d09def3b0d5102acfc42f7f9e872b577dbf2

    SHA512

    d9fab174bab93f3d53bdbc76feb950ac3754dae300620ff6c14f63c6608604988b5e4ccd22746d634e6ce8b546d386872cc0372f6c7b58a02391768337a611b6

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    76KB

    MD5

    41b80933318ba103baa94933319adecc

    SHA1

    9c1a330eb8ba2917a3009ac5f017165de3331cb4

    SHA256

    b96a6f8b33bb7778a956814ce13c797a0374523e16405a5b933d5309ac98415f

    SHA512

    ff928a86bd33cd83e0f01b69487cac10ebc6462079d7c30facb6ff612e6c8e923c2cc206bd18c47d5e676d52cc116a0ebc70f512bec6771ced026af56d74c01c