Analysis

  • max time kernel
    114s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 07:27

General

  • Target

    1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe

  • Size

    61KB

  • MD5

    09534757f4b64fd024a45cc653752a8e

  • SHA1

    56d4789246d617c29d058c8a2cff3ddc32e7394c

  • SHA256

    1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7

  • SHA512

    7deee7ad0d96210149ee8fcdaeacc10403dcd735518bddc58bb5499eea4e47f2514d3ce1b07b61a65fb0cb8165760318bd1494c729434e6a5267ac67652892be

  • SSDEEP

    1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZjl/5C:kdseIOMEZEyFjEOFqTiQmxl/5C

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
    "C:\Users\Admin\AppData\Local\Temp\1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    7caca308a09eecc9776150a76ff1d316

    SHA1

    6b0d1f091dccbf654530c3cf4d077a9b30d493b8

    SHA256

    93307e703260c21613cb5505026ce9e24569e7ada425215e9dd6b5832933789e

    SHA512

    8d88be50caad1a05435af3a45f9653401d95268c650c811dc76da16ab358550f88b5325e64812d063daac40f32c6166c042c5dc8f6aa9a6c04ae60845340e87c

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    26db7c016a583f578811e13cedcfdcbf

    SHA1

    aa7bb664a2e55869765012aa3ec2b7256ec1c850

    SHA256

    838f89384c7a5227e11a466791d2f391aec92c40aa26792f6cd28e8609c61551

    SHA512

    500921f79da5706064559cd9fd1cfd9f0903df328d53e4e54def91608b54d82c71478765937d6d7a1b9e2516adb063423493b7dbfdf7a7fc6b46767cf0485a8f

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    61KB

    MD5

    0d4b442a5d7ebbfbb76bc74de55d1c9c

    SHA1

    ee9c618361708f0bb4e68c637da3d88ab72488f6

    SHA256

    2d414ba438b890a73303167cfeaa9a5bcc4a959bd9535c821dd78d5c29e86594

    SHA512

    607cc52fb24be6cba53e900521bd00a0d7da5b503b080cdb187caf8aaef1e485a9e6cf65e769d3c1204a191a552de360b7cd179aacb8683060cee9a6047769a9