Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 18:15

General

  • Target

    03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe

  • Size

    35KB

  • MD5

    3f18b1f77502bb5435240e0fcb88e7d7

  • SHA1

    350c92fe0c3912118364e011d50fafa6bb0e2ebd

  • SHA256

    03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820

  • SHA512

    2ac839c697abadd5c50f9bd9a1b28229449e7068ec97f544f600a00cd97316e3640a19fceeabfd64937d8744c62f8aabe449cf9a5250eec2edb946a6384ab23b

  • SSDEEP

    768:r6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:W8Z0kA7FHlO2OwOTUtKjpB

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • UPX dump on OEP (original entry point) 18 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe
    "C:\Users\Admin\AppData\Local\Temp\03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    0b8337b47be228f5d9a0c04845729262

    SHA1

    d7046b7363126715d7b28b450af9c9025d813417

    SHA256

    444a7ea04a6e7e3f6f190c936605194e52d9f5c6421ce86327916beb7da8ae8f

    SHA512

    8bb1fb752dd5375afc8ed3162fe632e7b9d8bcf8949de621844528e3606887ab186d3c2827090675df1bd75d9c0537a4df3529343ce576d4397c74c5a1dd8b6e

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    f42c19e70c2bf60a3165feac22c205e8

    SHA1

    1285e0191642799eee96b905a9118946b22be516

    SHA256

    b849be64b6ec58db3a44d3246508bd00b0b2dd3f6a52f3600bccaedb86c96a56

    SHA512

    21a8e60e3af24a0ef45923f22a514ff5c1945414ed85a67943c587de6fe071eeceaee18b80474aacb11dac4fd286489e575e8706485f1ad3f3cfc56bc37a7943

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    35KB

    MD5

    5678eb9d4df15d70c465362dbed79900

    SHA1

    4c344180092267fdb80e497c23b1fb3a84a1eb55

    SHA256

    532f1e4960cb10c32058615e944050be9423cb2babc9d56c02a47851d56a4c13

    SHA512

    d2a301e9542fd5773191755656a8de790552b2e727d1ea87a227d8861ef7dae6b7e018c281703943f15237c448d3c4f2facd5db44f42e4c576a7948fcba296ed

  • memory/1516-37-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1516-45-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1708-4-0x00000000002A0000-0x00000000002CD000-memory.dmp

    Filesize

    180KB

  • memory/1708-10-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1708-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1872-52-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1872-49-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1872-47-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2444-13-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2444-33-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2444-26-0x0000000000320000-0x000000000034D000-memory.dmp

    Filesize

    180KB

  • memory/2444-23-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2444-20-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2444-17-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2444-14-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB