Malware Forensics: Necurs Dropper via NTSecureSys

Source: Immunity Debugger, IDA Pro



File: necurs_dropper[.]exe
Size: 97792 Bytes
MD5: 6B3D2D146E683DAF0DEB906D57393E22

Mutex:
Name *    
————————————————–
   Instance0:  ESENT Performance Data Schema Version 40  

Ports:
Port    PID    Type    Path    
————————————————–

  • 3417    2688 TCP    C:\Documents and Settings\Administrator\Desktop\dropper[.]exe    
  • 3418    3536 TCP    C:\Documents and Settings\Administrator\Desktop\dropper[.]exe    
  • 3419    384 TCP    C:\Documents and Settings\Administrator\Desktop\dropper


API Logger (Interesting Calls):

  • 91222     CreateFileA(\\.\NtSecureSys)    
  • 912c6     GetCurrentProcessId()=2688
  • 771bd3a9     connect(69.50.214[.]54:80)

URLs (via GlobalAddAtomA API):
————————————————–
Picture
Picture
RegKeys (Anti-AV Check):
————————————————–

  • SUNBELT SOFTWARE
  • Sunbelt Software
  • G DATA Software
  • CJSC Returnil Software
  • Check Point Software Technologies Ltd
  • Panda Software International
  • FRISK Software International Ltd
  • ALWIL Software
  • SUNBELT SOFTWARE
  • Sunbelt Software
  • G DATA Software
  • CJSC Returnil Software
  • Check Point Software Technologies Ltd
  • Panda Software International
  • FRISK Software International Ltd
  • ALWIL Software

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s