Overview

overview

10

Static

static

10

e3292a72e6...6e.exe

windows7-x64

10

e3292a72e6...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe

  • Size

    84KB

  • MD5

    27b3f3d330c1676819c043ccfcbeac42

  • SHA1

    fa115d0f9ac440a69245c02259affafb40e605d3

  • SHA256

    e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e

  • SHA512

    71fffe1679166438901b4dc6927a217255c9d8033f18741b4edf2d6556daed8427bef17f2010d3bb271f424e2719cdeab01f3c5abe6a0ab2cf118bd756119fa2

  • SSDEEP

    1536:Dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:jdseIOMEZEyFjEOFqTiQm5l/5

Score
10/10
neconydtrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe
    "C:\Users\Admin\AppData\Local\Temp\e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    84KB

    MD5

    0660c7bfed30be7c43c327585ccc356b

    SHA1

    e9bfdc9bc51e5f3e54e2028d2d7ff258f8a8d1cc

    SHA256

    18f010f6eafed90afb0eeb5bc3514aa1c3bc021e0bfbe94a094d8157ec0f3022

    SHA512

    1f72161396fb482e7afaf7a9776ebf8e9f84a42c9e79835e18541580fb503989492d3fca472d70656736ee13ddbb11a84d235f90f818783cbb2430ce6cf4f4b3

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    84KB

    MD5

    bd589bac32e49f2e91aabdbe9f6cc7b8

    SHA1

    41d3b1144e96a41fd3317cd66d8a1233c040e7da

    SHA256

    ffca99c3b9f2a6d66d2e0259cc59e2c14c3e6947e93ed7bc48c0babdff20df5f

    SHA512

    78db8425f6f549398e67a12631715b324dd3fe111e205f84a51ebd6e0565295be3a4c08a945d893811d411405d437f96244131b11342f0ae4824782f4509ecb7

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    84KB

    MD5

    5b9fd25c663cc99023e1ff7db8ce994c

    SHA1

    d663df13284a9ab8ab39910bf9501c5009fb0707

    SHA256

    ff346085ba7a07f5a7135ceaee11245b8a93a598e66e5e86c52a9d8c0e684c5f

    SHA512

    68403eaef1e99b7aa9b07b147ad466329cf7aabe0f4af732c07dcb330460593bd0aec96d8ac88fb0d3f38dc3ba932a7738b039d53e9ae6c3a658fab93370a6ed

    Download Submit