Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
08-06-2024 23:49
General
-
Target
5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe
-
Size
92KB
-
MD5
9fcffd8c288108ea541c8845aab398cf
-
SHA1
79e9f5369930dd74b9a69af9a795ab8f4bc16fe7
-
SHA256
5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69
-
SHA512
49ff20163d431f26d3eab07a0e4fd69f0b8d41507305100f483271999b8816a2e3bec10b1ca4f49bcd46eb0e49b320fefc7bb5d9126abe887d440297e2e22465
-
SSDEEP
768:3MEIvFGvZEh8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:3bIvYvZEgFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Executes dropped EXE 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe"C:\Users\Admin\AppData\Local\Temp\5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
92KB
MD59d9aa122962490d224d482fa5399d3ae
SHA1916388a7d08cd2e519033d7f172391a512cf9272
SHA25692aad438f3ed97b0902fa179d086365440228d6d9e1062a3d8c0bcf4516a99fe
SHA512e7a9234abce8c5d8f365abba26318831f435ff7b28c7a81f14f4838f72994838a049452b029718b2f725e41334feebcb6fb085b42cd14defa9ed8c14416b51bb
-
C:\Windows\SysWOW64\omsecor.exeFilesize
92KB
MD5c90eff8542fab414f099dd6c9d4510dc
SHA13cb783e53e00c3e18721eab376906fa568a88c5e
SHA25640e318c06878398e88c25099cc3e39b6301e61f2d8b9983626b9cafa4de4600e
SHA512f1baa99c77b18efb3d67e25ef6a550fadccb945d347dda32e2bf366fc31afa2c9841c4ecac2481cdab4b3a2ce1b856249daedc57bda54411d68bb695291b0a0a
-
memory/3364-0-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3364-6-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3464-11-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3464-14-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3656-4-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3656-7-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3656-13-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB