Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
21-06-2024 01:51
General
-
Target
a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe
-
Size
92KB
-
MD5
af4277dd98ae2f012297ad52052eefb2
-
SHA1
ba27fd7a75787eeaac04ba8e1e1c375175a6c096
-
SHA256
a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d
-
SHA512
cf2b92ffe29df2184503a7b3ff1291eb7167acbb5482cf76e13b55b5a50a55402b4799d9de5022549d47c5989078675a6a689413f1e474b4cc8f1357473b546d
-
SSDEEP
768:SMEIvFGvZEr8LFK0ic4PN47eSdYAHwmZNp6JXXlaa5uA:SbIvYvZEyFKFPN4yS+AQmZol/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Executes dropped EXE 3 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe"C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
92KB
MD5080351041fed2c4b2bfec7c5e8447003
SHA17085829d17053a3aa488f17f0e4a5c94fe4aa28f
SHA2561bd82c90d0ec636dc89e1acf8b56082ba0eca2c57351ed4b599c7af9845e5f46
SHA512236450b2dd1aa6478d237c5ba3f144b353e6c5ee822fb1160a209fafbe32589d10fc8e8c207774698704485f6e0b9f1c737e82b785bcb03d3389ecdc1fe52a41
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
92KB
MD5eb1594b3d0c7f76d46121377d070ec22
SHA1c8390571254d431b0fd9ce66bc66ca946a36f8dd
SHA256c3b10a9f0ab06a358aedf2b12faf1402a621728a09691b05a1b1cb268d7f6552
SHA51280f0382ffc489a9d8968aee0c435d31f24bd1968d2680d8bc37f89a9814de30e38a31ae925a613a6572210f3358c5c3996fd2ed8506de09e1cfb8fb5b45d96c4
-
C:\Windows\SysWOW64\omsecor.exeFilesize
92KB
MD5c6896133af4e5ccdf29265134de80047
SHA1bb91f912387442b6df35ccffbd3b013cc1189aca
SHA256ec8db7f6d7fcdc88d28ad09c088850853ff6f6d812b83f94af0d2c50808798de
SHA512b3043a7a830d7db9bddd430a6e32cf9af95a31075d7819fbedbd6a422242d5ce7ad4d4b13323f27d0cbf3658a69d1476352c9db5a2800ff02b9603e54a1cd161
-
memory/3008-12-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3008-17-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3552-18-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3552-20-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4600-0-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4600-4-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4964-5-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4964-7-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4964-11-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB