Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 12:42

General

  • Target

    4f8b5ded61b51de6d2d27f0e2a473a30N.exe

  • Size

    248KB

  • MD5

    4f8b5ded61b51de6d2d27f0e2a473a30

  • SHA1

    3d58be86f9b50ae09a0a0a71521297dd241aefc6

  • SHA256

    feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707

  • SHA512

    ebc97a82579408b5d44440877927033517f21d24f83d0a1147b8840585c3f43d726067d12112fab1029e8e0abc9f781748de86f1defd4f36c89865b980dccb4b

  • SSDEEP

    1536:I4d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:IIdseIO+EZEyFjEOFqTiQmGnOHjzU

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe
    "C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    248KB

    MD5

    abd192b4a64298a5427850694a21ef96

    SHA1

    8f26e4876a37fbf6142ecb91f17fc441716c5987

    SHA256

    334b40a9df4a5e027483a0c44f70fbb00779801aecfe355a5646ef3b01205546

    SHA512

    a8d8f49b3af76eaf684eec4ef0abf671e1bc8390924979dd73df7e7a95f6eada2246553a0c9c9e75ad31a252e0a58005c9907fb608be0b97e57e9e94f38dd6a1

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    248KB

    MD5

    795a05ea0a425d39884d9c4208eb97c1

    SHA1

    3c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d

    SHA256

    c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17

    SHA512

    55682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    248KB

    MD5

    33fd7f7ad2095c91d62e0c5ae4268ce6

    SHA1

    9274a1d9ba6c9fc5ed6e15e4087395c504946a78

    SHA256

    12b68ec9ce77ffd5d923d4b8b000cd739b2550b9ae84c57387be752064fa783d

    SHA512

    bb5c391e9f99331784fcd19b0d0b5a7db699a7c64a60c996f85c7fd0b44ecc74cdc7c597c348397ff41675a26e6d4c6072b7a831ec0eccbd715f336322f2e935

  • memory/1668-18-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/1668-20-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3104-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3104-5-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3852-4-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3852-7-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3852-13-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/4916-11-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/4916-17-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB