Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 02:59

General

  • Target

    cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe

  • Size

    92KB

  • MD5

    a8b1ada55fa84ab373638e59a7cbaaa9

  • SHA1

    ff5ec3aae893f55553f0ea26c290cf07ec29d7b5

  • SHA256

    cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43

  • SHA512

    f29ce5b8bb4a7f4354ca4ec4f7d6d6ed66283e4dcfbc850c59235c272b05adca18ee14eed8a51c1a06f82d9ff60bf4139d29c8eb319c14ddcbd500b95c51395d

  • SSDEEP

    1536:1d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:9dseIOyEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe
    "C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    30bbb6b75769c5bb0bcf764906690d9b

    SHA1

    4f1f2cc020dddc6d0108812624022e8e53dc65a6

    SHA256

    4f6464c1bd11617b3a72b98ea2c8762866c5b3da6fd037ac51eeacf95b8d58d7

    SHA512

    f87b322bebab41e6750efab17f662ed7771f6df9ddc93d681278e8c58844540c78ed302be6bf0f3f374e7bbfad16d5a851dfd448de1eeb5556776027ad6b43c1

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    ebee397ed13d5f0e150b2b7381fc19c5

    SHA1

    267a31e483814c9b8e6ded1ffa83ce7a042e823b

    SHA256

    720ee33903dd414996bf5506b000eaf172240858a468d756019b0279183f73b8

    SHA512

    fe8368078a49f9518d37e4851ccc2c1cdf3a7a4082b8fd46bb38d0260b5e2e550b2bf0732ee7383873738d782e7098c3b043b522e3f0666f9d734260822eab98

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    92KB

    MD5

    3e43fd008ae33d75c2873ecb885f7602

    SHA1

    32fe077bf9bbbe18a7b8ba31db1acdc8f7ba758e

    SHA256

    df00b466e41187945aec62289b655c6f01f1e849624869e74dcde55f25c9f558

    SHA512

    fa2858bd5c7ad8a56511db322198946124537996e20de62e1a9314fe4942e6f7c5579a210ed637a8b802abb54bcb16008505e06edfd9cf3071d92e875157c3bd

  • memory/952-34-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1988-35-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1988-37-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2200-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2200-8-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2208-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2208-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2208-17-0x0000000000330000-0x000000000035B000-memory.dmp

    Filesize

    172KB

  • memory/2208-23-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB