Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 21:34

General

  • Target

    50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe

  • Size

    73KB

  • MD5

    372368f243b6e6b68d93ece33065a7c0

  • SHA1

    1db74e410b302830739be85335b4d585759a4348

  • SHA256

    50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0

  • SHA512

    06dd900cf1c7a430b6247cbc72bcfd878f54360722d4cb6485bc9795c84fb570ecbdde82e24155b63479a55858edfeaead224e5fdbc4acd02e0ab52c1e759647

  • SSDEEP

    1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe
    "C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    73KB

    MD5

    05fc9aab25226c1f2da96dfa8682a93b

    SHA1

    bd1a7116b2f15e2927d15346ed2abe19fdae02c3

    SHA256

    e7dc95a8ea86d54e96a915dcfd13878f52276563ae97f16c567286567e342f58

    SHA512

    e621fc57387a6d696184f915583be15e409b4d22975329c49cd1a9a2f9cdb2f9ebca3e369abb83a6fd58fb84e7f2ed322bae00e8908082321851861a6969fe77

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    73KB

    MD5

    540b9b67841d4199b21880644c909be1

    SHA1

    529a68d19b90f49eeb0275660661734dd0071abc

    SHA256

    c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b

    SHA512

    18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    73KB

    MD5

    0d527f37cfeed9b2c20416a8ee34750d

    SHA1

    37129a3759cf88a97daf9d218d44601f2dea7db9

    SHA256

    0f3b9e3a64376b0e21ab5c67de30922df466127b5027f49307817817739e1843

    SHA512

    471f6a7ea25eee0b476e330b8005b70a0617eab20786e0c85f62ae7636c5f316143d512d57348433e111d94f97997e627337e8a92512af47fcabc8aaadac0b7d