Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 04:39

General

  • Target

    f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe

  • Size

    62KB

  • MD5

    3f4026511c6890875837a13675b7278a

  • SHA1

    e84c8733260773cc688b68ad4d0d2812c4904287

  • SHA256

    f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6

  • SHA512

    80690676583813b52e7974ab1ddd64a596b87990dcafbd14fee520d481dee44d27c509929ff26a5d721e2272e38bc22789da3b57be1c556ed3f509e6823dd784

  • SSDEEP

    768:eMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:ebIvYvZEyFKF6N4yS+AQmZtl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe
    "C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5780
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5572
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    62KB

    MD5

    94a28e45affa6f1759751b08caa3a399

    SHA1

    d603d25db16de015fb1acecf8177b4a63bf5b7dc

    SHA256

    ed415e17c4d9796cdb39a49f1f6619d9a4861487de90fa67e3719020a05589ef

    SHA512

    6584bd1dbe0ceab17e519e4fb5d42f184714ee2a3624df58d09ae8ebae5c1f51be0d2c1efaaaa949312638ac0f81611872f081b8486bc63ae57507eaaea05829

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    62KB

    MD5

    32253a47273278b1128b91830b267488

    SHA1

    eda4aab36b06bfd22ca9a9235342df67dca71993

    SHA256

    2ace238d95b0fb8fb6ccef4822cd9cccc76d131bb87dcff53424999430349249

    SHA512

    8def47f16e1856a0c0cedd955853f40a4771fd7d2ab66b076ae76e28796b6de3e8d2291627bc6138cfea34531688bc6c69a06c0c6318478dd19fdeb540f85463

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    62KB

    MD5

    21bbf310a8d596850d68345057469800

    SHA1

    ce028ab9516f3961df4db0a9d5042381c36d8539

    SHA256

    f83b08937d54c18fe89b203f9c4ebee88b23db2214e05d6ce31a472ba37228e4

    SHA512

    705f421f8ba02acefcf99537dea36ffda8c2cd95dea426f081574c303e54fd1b950c3596dbcecd9c1bf2e9f9f16f178a469dd53425c23a5e8645318c0e93c9e2