Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 04:39

General

  • Target

    f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe

  • Size

    62KB

  • MD5

    3f4026511c6890875837a13675b7278a

  • SHA1

    e84c8733260773cc688b68ad4d0d2812c4904287

  • SHA256

    f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6

  • SHA512

    80690676583813b52e7974ab1ddd64a596b87990dcafbd14fee520d481dee44d27c509929ff26a5d721e2272e38bc22789da3b57be1c556ed3f509e6823dd784

  • SSDEEP

    768:eMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:ebIvYvZEyFKF6N4yS+AQmZtl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe
    "C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    62KB

    MD5

    8be5abf1ca351315c8984e876c3e6224

    SHA1

    6c06a8bbbd810d9efad2beb902005575b98c74b9

    SHA256

    d7d0ad6344b2659ed53545bda1163021924c6b8250cd40028f5b2f87cad16e2b

    SHA512

    8aaea9feffa115e782b5b2693740302267e539e4aff302d85d9f60393258908e6f7363570a7b081e929d5e17515e49354f9615771d020e446acc36479e342031

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    62KB

    MD5

    32253a47273278b1128b91830b267488

    SHA1

    eda4aab36b06bfd22ca9a9235342df67dca71993

    SHA256

    2ace238d95b0fb8fb6ccef4822cd9cccc76d131bb87dcff53424999430349249

    SHA512

    8def47f16e1856a0c0cedd955853f40a4771fd7d2ab66b076ae76e28796b6de3e8d2291627bc6138cfea34531688bc6c69a06c0c6318478dd19fdeb540f85463

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    62KB

    MD5

    110af80ab7627254d0bdfb33da0fc9d1

    SHA1

    9f1f948edad862f1d60bea286217777593054894

    SHA256

    ebbb47554a3b81278e46c6c7c166078a5ab43967a8c99501c2029419480f021f

    SHA512

    0c46616e88342ebaae44dc3b22d555dc4f3aebbad28a06ad7e89d1b9be08b1479380c2c676849eb9fce910b6fa784617dd1dded6e0fc7cf1bc8bd2056ec5d1b5