Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 12:48

General

  • Target

    feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe

  • Size

    248KB

  • MD5

    4f8b5ded61b51de6d2d27f0e2a473a30

  • SHA1

    3d58be86f9b50ae09a0a0a71521297dd241aefc6

  • SHA256

    feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707

  • SHA512

    ebc97a82579408b5d44440877927033517f21d24f83d0a1147b8840585c3f43d726067d12112fab1029e8e0abc9f781748de86f1defd4f36c89865b980dccb4b

  • SSDEEP

    1536:I4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:IIdseIO+EZEyFjEOFqTiQmGnOHjzU

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe
    "C:\Users\Admin\AppData\Local\Temp\feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    248KB

    MD5

    795a05ea0a425d39884d9c4208eb97c1

    SHA1

    3c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d

    SHA256

    c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17

    SHA512

    55682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    248KB

    MD5

    b8ec916eab9bef1eaca9e3c7c5e8861a

    SHA1

    5e0ef4531515cb4b37d66fbd8dfe4922f7b67933

    SHA256

    ed164ea6534bd08141629deaa8adb57678beb9ba0f7a9a14feca287b09d6e055

    SHA512

    5c264ddb1493d46c1143b9de19b1ff64c516bc724255766d50a52e40bdf99b538ee57d46723c47c3a36574f9325ac0dcd92fbef96ef82dc7942c4688b929b901

  • memory/1652-11-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/1652-14-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3140-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3140-6-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/4972-4-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/4972-7-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/4972-13-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB