Analysis

  • max time kernel
    119s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 20:48

General

  • Target

    3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe

  • Size

    84KB

  • MD5

    756384dff6e690c32681a2439a718d8c

  • SHA1

    6c9e4c6381e24572d506991cd3b22e6ca3102c94

  • SHA256

    3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d

  • SHA512

    5f7c1e01eebe65d1a87430af919175d818fc1f1b87d52fa4814be8ab9c201a719243aa160606aca3d8728e1949164c08d824929501306b345fb3d3389515c843

  • SSDEEP

    768:zMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe
    "C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    84KB

    MD5

    db6ff8d832660f61d66a6f5a22fd9830

    SHA1

    88594363b258506bc228e2d6dc7b95e1173a16c0

    SHA256

    bb927993eae2d22117651936ded9f7f7a00d964ba42acf8975af8fdfb831c8a5

    SHA512

    638baf7fd32a6c8021046e0161edd82aa836fc2056e431b76917d09676a4982f2eab18eccf57242a7fe535f7447c293e7af5abe068a5621c177b277956cd1bb6

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    84KB

    MD5

    b1e82e612338f5c2d997a8be52666a5e

    SHA1

    fa8d6f22d1e4e1f6dda94d03fe19f374d8f46600

    SHA256

    009f78164c8b64e6e59b7e6a0988e6efbc8ae815e2171433aecfd44771563de9

    SHA512

    1f53666846fe5c44a2f6d77a559defb22f083aee673d6d268a8988e5c8951637ff709314dfc3e3e033aa8a3ac26d81d5d0dee82157a4deb5529b94c2f3b3e81d

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    84KB

    MD5

    15358bbbaee7a5629bb0ab8a06a20d9a

    SHA1

    b222268c5e0d6b8a2d9865a2e7542a1064c296af

    SHA256

    374cd60d5987a93e3a477dc21aa1989f2524cee2c7595ca10f8efde11c70ec66

    SHA512

    ac505f34f632a55ea10aba05b9a6a04e477a17539173c6eea746a0faf2db164b67a73cb27c12e7111e9f520cd4be1b7eab71d98df30892e14a49417d617f3a2d