Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 21:34

General

  • Target

    50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe

  • Size

    73KB

  • MD5

    372368f243b6e6b68d93ece33065a7c0

  • SHA1

    1db74e410b302830739be85335b4d585759a4348

  • SHA256

    50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0

  • SHA512

    06dd900cf1c7a430b6247cbc72bcfd878f54360722d4cb6485bc9795c84fb570ecbdde82e24155b63479a55858edfeaead224e5fdbc4acd02e0ab52c1e759647

  • SSDEEP

    1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe
    "C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:3176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    73KB

    MD5

    540b9b67841d4199b21880644c909be1

    SHA1

    529a68d19b90f49eeb0275660661734dd0071abc

    SHA256

    c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b

    SHA512

    18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    73KB

    MD5

    1de9e1c6719ac9d020b79eb85aa3951f

    SHA1

    08ee657ab95b829d8730232278e20f9a10b5fcaa

    SHA256

    078d8748c33fd6e646a6b7a7970bf2d1f2f89089ffa13fb34d4848bff1bd2608

    SHA512

    93b727ef35e3601b15c36651e303bc130b8f119cf960bb478e8568808fbb3e95d69149fc7490da459a730cd29a815b5c111f410b7271ca1ff7ed6c423f46e0ed