Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 12:31

General

  • Target

    9ef5e0aff3983414d5fc6ee69674a8a0N.exe

  • Size

    35KB

  • MD5

    9ef5e0aff3983414d5fc6ee69674a8a0

  • SHA1

    37b0a2d701473457f5ab1e207169eb520b119060

  • SHA256

    6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180

  • SHA512

    c5ed45285648f7124fd32957610570874c3c8e6f48c4854cc7a61e7abb72dda4c191c0d5480bed0eb63da88932fde10d39b511dd779e1e857302623853f6c468

  • SSDEEP

    768:Z6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:08Z0kA7FHlO2OwOTUtKjpB

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    a2b4a322bc57c590c56a4cd09ed4c4b4

    SHA1

    af712caf7817eca258eac0742d8d19786f0d7a04

    SHA256

    dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc

    SHA512

    5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    35KB

    MD5

    d3d933d5522db2197e9d43c1ddac126a

    SHA1

    3df9f95a01aaab85cb88d21fd03f7d58e300afb1

    SHA256

    ca0f34c55405e8366cf93ab54885b02c3dbd9101eaaf9706bc0447aa43d05692

    SHA512

    1af87fa818af16d1a4aeb48e78fd07a7a5875e4a5cca6dc5c1458137ee4015c7538aed3ea6bbf5fa53b077889ec2a9698dc1a91b09f6b272e790df2ec4199318

  • memory/1360-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1360-6-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1384-19-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1384-23-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/5004-4-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/5004-8-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/5004-11-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/5004-14-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/5004-15-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/5004-22-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB