Analysis

  • max time kernel
    115s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 06:35

General

  • Target

    56273b3463f33f24297a72d47b2cd370N.exe

  • Size

    35KB

  • MD5

    56273b3463f33f24297a72d47b2cd370

  • SHA1

    86bfd5cd55fd3ab790e5f24f11f380288b7294d2

  • SHA256

    7c703e5bb2539d52b2a22c4bfd09667d25747c916b17e45a64f9a788da8f11c5

  • SHA512

    14ea8a4ab0c68ade1ee31fdf354288d3a533e12d8e2366a341de6d7e0d863589a54fc6b8c4180a293c3d977cae433e2b3835bb8f3c270e9d09e703772fe96348

  • SSDEEP

    768:A6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:X8Z0kA7FHlO2OwOTUtKjpB

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe
    "C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    ce7aa3954c5dcdafdbf8443875850f25

    SHA1

    3d5d362d4ee07bcce26666ba0a38a99581b0be8e

    SHA256

    d2f7023e0f5893887e70f311ae4f4c4321a857509b0ef5522ab83fc25b5a1d72

    SHA512

    35dd7c23b771074e71e6d3d1afd5cf4c65f48eeec3c3abfc5b22f33fc27a4f473d891b3d748ae2eee9122302deb19b00f76dd3ac553485fb5cbda192766f2897

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    35KB

    MD5

    7ddb7511628fba5209fdcbac68d074be

    SHA1

    035d9f4eb7e47100597715e5fb50c6ec0de7a464

    SHA256

    c2d1a10d73d708777123c0712d1c6b6d549c7f35715e572b632637137078057f

    SHA512

    d83d7f80600addbe063d321672131dec810c3f364ec337948a30a4ff781c73205f06cd38e5a4ef49338efbfa0e80fbb04cc8f4a05dd5be44f5f51e00dbbfd573

  • memory/2756-19-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2756-23-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4092-4-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4092-8-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4092-11-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4092-14-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4092-15-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4092-22-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4856-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4856-7-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB