Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2024 06:35

General

  • Target

    56273b3463f33f24297a72d47b2cd370N.exe

  • Size

    35KB

  • MD5

    56273b3463f33f24297a72d47b2cd370

  • SHA1

    86bfd5cd55fd3ab790e5f24f11f380288b7294d2

  • SHA256

    7c703e5bb2539d52b2a22c4bfd09667d25747c916b17e45a64f9a788da8f11c5

  • SHA512

    14ea8a4ab0c68ade1ee31fdf354288d3a533e12d8e2366a341de6d7e0d863589a54fc6b8c4180a293c3d977cae433e2b3835bb8f3c270e9d09e703772fe96348

  • SSDEEP

    768:A6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:X8Z0kA7FHlO2OwOTUtKjpB

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe
    "C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    ce7aa3954c5dcdafdbf8443875850f25

    SHA1

    3d5d362d4ee07bcce26666ba0a38a99581b0be8e

    SHA256

    d2f7023e0f5893887e70f311ae4f4c4321a857509b0ef5522ab83fc25b5a1d72

    SHA512

    35dd7c23b771074e71e6d3d1afd5cf4c65f48eeec3c3abfc5b22f33fc27a4f473d891b3d748ae2eee9122302deb19b00f76dd3ac553485fb5cbda192766f2897

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    28f7b42bc3a38fa59e152eadbe67e32d

    SHA1

    65ce4848621354701a14a380fa9903b21460e977

    SHA256

    94dc7b5e601bc356095a3a6371e8dc393597a946a5cddc73e497b6fb749df6c8

    SHA512

    f84ff50dd9b4a9166b77df75b52dfa217a5acf4ff05a13fbd4fb162f2a29980e6f46e24c821d00d914f87a4088d8e739eced088ef78963c781ba0ab6d07eece8

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    35KB

    MD5

    0ce8cedc297e182c1494c3b83ac7eb0a

    SHA1

    a67a247d2e1f93e399ed453ffc34fc8000dd2745

    SHA256

    119c0730e11693aa2e8e7b0673d6e69c020433a534521433b72f8ae696ced20a

    SHA512

    8d5db0e7e1f962a6293be140ea590f2c2aafe933708b51e697c3912f08e9836b0dc1cf0869c564ea4184f4c8398d4d067812e38ff24ad647edbe2a5b03d13535

  • memory/1936-33-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1936-51-0x0000000000530000-0x000000000055D000-memory.dmp

    Filesize

    180KB

  • memory/1936-13-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1936-34-0x0000000000530000-0x000000000055D000-memory.dmp

    Filesize

    180KB

  • memory/1936-15-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1936-18-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1936-21-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1936-24-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2520-8-0x0000000000220000-0x000000000024D000-memory.dmp

    Filesize

    180KB

  • memory/2520-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2520-12-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2520-9-0x0000000000220000-0x000000000024D000-memory.dmp

    Filesize

    180KB

  • memory/2976-50-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2976-52-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3036-36-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3036-41-0x00000000001B0000-0x00000000001DD000-memory.dmp

    Filesize

    180KB

  • memory/3036-47-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB