Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 18:15

General

  • Target

    03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe

  • Size

    35KB

  • MD5

    3f18b1f77502bb5435240e0fcb88e7d7

  • SHA1

    350c92fe0c3912118364e011d50fafa6bb0e2ebd

  • SHA256

    03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820

  • SHA512

    2ac839c697abadd5c50f9bd9a1b28229449e7068ec97f544f600a00cd97316e3640a19fceeabfd64937d8744c62f8aabe449cf9a5250eec2edb946a6384ab23b

  • SSDEEP

    768:r6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:W8Z0kA7FHlO2OwOTUtKjpB

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • UPX dump on OEP (original entry point) 15 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe
    "C:\Users\Admin\AppData\Local\Temp\03c941f677711b137d30dc431257a226b5a5493acdc1f931f2b2ce1c7f0a7820.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4508
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:3164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    1a1e5cee38301e50d75aaf8a06f59446

    SHA1

    d57fa8331f4b400cd9f353cfd3d17fb79a8749e5

    SHA256

    df203312a86c68973ad88d1b4ebc95ceed679bfe50b0c53fc80f9748cec13063

    SHA512

    a62e84cfa465eca926949434cd4b3c69e5986e7bf77ea5f4ed507a0a95302e3b3e748ab9a8d342405287a5c7ec25e02b33b150fa0a4ce25039e5fa1b59f4fe14

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    0b8337b47be228f5d9a0c04845729262

    SHA1

    d7046b7363126715d7b28b450af9c9025d813417

    SHA256

    444a7ea04a6e7e3f6f190c936605194e52d9f5c6421ce86327916beb7da8ae8f

    SHA512

    8bb1fb752dd5375afc8ed3162fe632e7b9d8bcf8949de621844528e3606887ab186d3c2827090675df1bd75d9c0537a4df3529343ce576d4397c74c5a1dd8b6e

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    35KB

    MD5

    981c84739f904bb3cd1e98a07e2ff25c

    SHA1

    4f72607174260881af5697b390b3f54eb0ef6e6b

    SHA256

    1cc6b5ab9edf60366ff2bbf8a8e032b6a335f6970a26698bae34bf9145fb7065

    SHA512

    ff3701fc72da220d33cca337fa83a0c67b08ff626ea9c47020f5eddf1052dfd83327d771985e271a55bc63c17ec5745d871fbd44a94a576ca9bd753d8daed161

  • memory/1284-15-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1284-8-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1284-14-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1284-7-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1284-20-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3164-28-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3164-29-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3164-32-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3724-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3724-5-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4508-21-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4508-26-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB