Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 19:23

General

  • Target

    1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe

  • Size

    64KB

  • MD5

    3ccb069e205cf460a84fe7698078876e

  • SHA1

    57b6900a1bec2e0b7c0294b57236854ebc1ddfc6

  • SHA256

    1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b

  • SHA512

    3a7083b5b293cdd5f2e33487b54894345acf9b945eaa227138d9fad5afdd8772680fec6a4091f3bc08831eb743f628d92ba2ca04e3c10f1c4ee41886ac8bcf87

  • SSDEEP

    768:QMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:QbIvYvZEyFKF6N4yS+AQmZcl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe
    "C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    64KB

    MD5

    310d9a10351692f0e7c4a9b904813146

    SHA1

    27b813a9eee71d69366abe8f2a1db700742310e3

    SHA256

    29b04df61232f68789882af67f0467133ac23128b117d77197f832579fea2ca5

    SHA512

    eef492b73f4353662b4a1ecf276463ee27bce1b16bdb35209f8d09180734d65d4bc6e05dcc923c40db748384f1672111e07218be5dfcd232246f557936365780

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    64KB

    MD5

    0e982cf4973d9a1f212dcbbd7212f286

    SHA1

    72c891be5ddb1a0b47db0a3a81739f2730c8ea3a

    SHA256

    e65e6ae10624d87af1421d94944761c5b3eada98e97d0499cd74e1c997f03251

    SHA512

    8b4d616098980651cecf3069cdc21b79591c41703e64e3cb2b77dd17ed0f6e7cfb1680e0e155ab78c06cfbdd4d7559fb332af42352928146bae49f34bac84335

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    64KB

    MD5

    3fe13d3e06c87c36d1969a83aeb809ed

    SHA1

    cfb8211a3f81d9df6b73f553e0357e9c3b698c75

    SHA256

    dd95954a0212415c206bac516767be4b9f798c8df44ad8643376efc1de32d22b

    SHA512

    bf613fce84bd3eb3e0bec5e0c49b3b83da1c34191d57bda47b8b89b6140d271201a07c10a70b87dd46b428680e34b3c84d2e050f05209ce0a2bae00312ae3628