Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 00:10

General

  • Target

    a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe

  • Size

    92KB

  • MD5

    6b9f893b651a4c9f9bce4860abcf5210

  • SHA1

    2b40dee78eb457c2a6481d6eec8cfa621a7a2135

  • SHA256

    a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f

  • SHA512

    d96a0b5d8f9afb0c5af8b49fad2c97ce2f53f2f328d72932622e866a70b7b6f6af748978875c78689f5da1cdc1cc4b013884ec8a8765f2364d3c3ac4448c8247

  • SSDEEP

    1536:zd9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIO/EZEyFjEOFqTiQm5l/5

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe
    "C:\Users\Admin\AppData\Local\Temp\a61c1566c8c60a14329ac3217712afdd022b4677aa9538a5d98fae9f9752de6f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    fff7a8898ed69d53a1069422e07a8cf5

    SHA1

    173e886d68080a89b678d83fc81dae27bf4eec2e

    SHA256

    a34a8cb30dc6de3e649ca267af3ab484cf9dc417b71e037a27b88466a3d25c87

    SHA512

    3cdcbbaa41b5e52de0c442bc933457d09285d55feb77878f3a5aaad69c1df94d79b9bdebe3ae6e78a15fca90c7337cdc0995bdd23abed3a65c47599e92ac8579

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    92KB

    MD5

    735a286099302942dc4e218a936ac677

    SHA1

    352d158d367ded555f2fad4bfb4df463ba07a4f2

    SHA256

    5e9a6f9b49597ec7f12d19d24d79cdfac1e7d13c426b2abb24337c6615bce1ee

    SHA512

    08c61d71c0d1eaed65472b183b3a379063d3ab322ad454c72bbc9966862c12452c67cb325dcf832f7bafd63e55d9ff92e26d291b2c517e1c605465212d001fec

  • memory/536-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/536-6-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2776-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2776-14-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3004-4-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3004-7-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3004-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB