Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2024 02:30

General

  • Target

    6dadb6fc1f598dfc9ebb7aa087046b40.exe

  • Size

    72KB

  • MD5

    6dadb6fc1f598dfc9ebb7aa087046b40

  • SHA1

    a1783a5676d47dabc025d3823e7783e119cecdde

  • SHA256

    ad73863dc9726bbe6cf6c7d2433f9cde1896d8198a51e7e03f3cf1ec26f78929

  • SHA512

    c105bde5564c74770f29e9d8fa8440bdcbc34794545335a046505d00a3bae61ddc5bacd3b349e12d98f57188d6e5f29e8ef7792f3ef7106cfa51e48cc655bccf

  • SSDEEP

    1536:jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:DdseIOMEZEyFjEOFqTiQm5l/5211

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe
    "C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1112
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    72KB

    MD5

    ed05fe3ec29dc8f402abb65cd8838a23

    SHA1

    2b7bbba9a583cb594223d69524716f4d4af5750b

    SHA256

    e72ecc2ba753e6b80e3c3472dfade45e8a740094a630cf7763bfe00637cf8b51

    SHA512

    9501fca9c4f673e105df9c69b2922fdf6e1458e761cc5ffb46b8041e72914bcb76c9e1ad69681995dcc10d61c31abe603650c1f8eada1cfc387ab929d7fa2000

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    72KB

    MD5

    096514828731d6b4e1ca1eefd56a2fc5

    SHA1

    9bfa57e952573f2fdbcd6b9467f8c467fde73ccb

    SHA256

    569fce08924a54f440efbe7edb1535f08e87987f35e52d85dd8fa850c5050f4e

    SHA512

    b966e5c7de921f5fae9ea0bb252278be06f92a0396c9b3382ce6383d793f682d50163fa965517c8e88f9cb0774b249981c73ac7ed8c915f11e1afc3c253917c4

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    72KB

    MD5

    e516caff2319609d57de70de4c7b5d8e

    SHA1

    8bb646a2f0ee0198fcfd1beeb2ef408dc27d802f

    SHA256

    9697455c5c1b4629334e1f218a8d4d9e45cef06e158717af8b58041685dcfcfb

    SHA512

    7894ace3e6b96af5b63c11802bb4b71311f7d9d96b49c90927f3ff69125c4bf637e4ca287caf904648e29e42154d9e119775618db8576371676550f9e1a16230