Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 20:48

General

  • Target

    3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe

  • Size

    84KB

  • MD5

    756384dff6e690c32681a2439a718d8c

  • SHA1

    6c9e4c6381e24572d506991cd3b22e6ca3102c94

  • SHA256

    3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d

  • SHA512

    5f7c1e01eebe65d1a87430af919175d818fc1f1b87d52fa4814be8ab9c201a719243aa160606aca3d8728e1949164c08d824929501306b345fb3d3389515c843

  • SSDEEP

    768:zMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe
    "C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:552
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    84KB

    MD5

    176dd97dfc3f6d3d02c2113447701433

    SHA1

    dc69ae9eed6b0431f2a33cd83e5c9bbc2c373c9e

    SHA256

    1a64dbf0384ddacc72a9392d12e86506e32c2f1890d0f339de50acc05c6d1917

    SHA512

    85513e63af42d9e7d914fd33fbcc0df689454566276f947676245dea216d7187c70de3f004c3a7cb4d083240be331cc12797347c56bb7494691bc6f8f54f55fc

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    84KB

    MD5

    db6ff8d832660f61d66a6f5a22fd9830

    SHA1

    88594363b258506bc228e2d6dc7b95e1173a16c0

    SHA256

    bb927993eae2d22117651936ded9f7f7a00d964ba42acf8975af8fdfb831c8a5

    SHA512

    638baf7fd32a6c8021046e0161edd82aa836fc2056e431b76917d09676a4982f2eab18eccf57242a7fe535f7447c293e7af5abe068a5621c177b277956cd1bb6

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    84KB

    MD5

    76e19677010c78c57b3c9af916180646

    SHA1

    135b4c686bd44bc8d73d9ee6a53184e2a5db2815

    SHA256

    318738b94698f899aa3ceda10badf411216d39cbb4ca46253f0ad902f8b2f6d3

    SHA512

    6daf1917fb27cce4d6b4bad554163a5370e8ce31965fe714012b13a2013596cbc8fe23bc0d97c5eeab6c8b793a2b55d80052a00b9beb75b21f1f53664092f432