Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2025 22:30

General

  • Target

    2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe

  • Size

    72KB

  • MD5

    63c3eac87a43e1045b78d95d7ec1d2ba

  • SHA1

    a7b9d2f39670f3a035484c521487d15d765de400

  • SHA256

    2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342

  • SHA512

    a5b435c60876ee7d87d1efe719b3d3dab4befa82ab35c899a5730a369ac97ddb7a0709502ce7279f1c2d19eb87b6bb1634631869a5ae8a525d61e78e05f34787

  • SSDEEP

    1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211H:bdseIOMEZEyFjEOFqTiQm5l/5211H

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
    "C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    7aa684bca2f474d1490c016504595726

    SHA1

    8f7390d9883ea1793c3ea05ef3637bb5de55c868

    SHA256

    57b4bf966900d8f0f3a71c070da4ae4eb65588d2c6757b6e74ab5c91febb0acd

    SHA512

    b3035ecaa111e1d1fa4111f3f43f4b30e0d19b184236f6a321ff654f61e561d939911e90e436c043458e208d76ece71cec608081010412758bfeaa114802751a

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    2b6b0dcbedf5e9ace7cf6e85afd37c08

    SHA1

    121705f3da88f9817e2bb5dcffe86cc2e878dad4

    SHA256

    d668d6212d91d692e77c26158351426ce279237bb2dae8dabfa929bd818ecfcc

    SHA512

    77d3c402ca40bf56f255a91f091fac6954223987227b11c0318573c45a997880066d0372a2b20818e816aaae7d469dba55eeaf0af0ba462db1c0a6b8532dc45e

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    72KB

    MD5

    9b70a8dfdee6f97127cf696cb330ef55

    SHA1

    4e8bb1788b604f0fa01ab08ac83ff574f343a49a

    SHA256

    f658339fb86fe1d1d352d1cfd122b058d4c5cf3deff1f5624faff074cfe942ab

    SHA512

    9f20cff76eef86acd6cc1c276e470a43d65637f9185ba69baafa5230d09a62620e8cd5b6c596de9a60248b09729020b6f19941986fdc5e72b4ae58505c4f466b