Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 10:40

General

  • Target

    6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe

  • Size

    71KB

  • MD5

    bd559dcda44a612a74f6c1e219110db0

  • SHA1

    0e9a08ee761b1e580581cf534094454c0329b91c

  • SHA256

    6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737

  • SHA512

    f455c04cc62ec1863a59eb24a66c47b498d14ff38d08ebe8fa2ec2710dbd55f1de02de53b2c74aa1cb0e778c0ad76b80186fe8f3b0f494702c98820ab729a45a

  • SSDEEP

    1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:kdseIOMEZEyFjEOFqTiQmQDHIbH

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe
    "C:\Users\Admin\AppData\Local\Temp\6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    71KB

    MD5

    2d714ea31382fbe2bad53bfbc000e91a

    SHA1

    7cccb8b158784492ac1e9d8ddb0a9eb5f1559159

    SHA256

    ec4e6ab21207022350897d0ae96843a1f92fd9e34a44c2b23054b7f606e16b93

    SHA512

    659919a5657c4443f921f209b38489b057a9d975c26012dbdbfab4eda020a2878181869d1d1ff8d6ebdfa0d85b753fb2a1a5609b46fbd165bf02b502cb864114

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    71KB

    MD5

    1b78b48f09ae5fcfebdf7027a3c8021a

    SHA1

    dc9867e4420cb53d3da4e53e1e66b569eb25d563

    SHA256

    6849fb7938c7d0214ab7543b609687656de383c2123dd4f48639edae4baf2033

    SHA512

    149b843ed03fc6c4bd921404afbf8ca08f23aba85708f2e30b06dff98104566a72c6f3172cef4622627d19c63487cb8110c5dbe23f1e673e2b4a497e45c0c596

  • memory/1120-4-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1120-7-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1120-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1948-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1948-14-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4540-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4540-6-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB