Overview

overview

10

Static

static

10

41f8d75e89...AS.exe

windows7-x64

10

41f8d75e89...AS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41f8d75e8978ed377acc0f3024a64a70_NEAS.exe

  • Size

    88KB

  • MD5

    41f8d75e8978ed377acc0f3024a64a70

  • SHA1

    fc0a433aa5e13b050ae39b18cf5c59bfd61818d9

  • SHA256

    b87a21e5ac07a9b9863ee2d9e265340bef3937e3a30a92ec74c8db618d4f50af

  • SHA512

    3cfcfab11e7accebb66dea3c2f4117e5fa5879b10682f4769d411b101fae24ba2e39f1896a0ac3cdabcc25a529d3bd5f966ff11bc3e87a5e6537ed600d609c14

  • SSDEEP

    768:bMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:bbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10
neconydtrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41f8d75e8978ed377acc0f3024a64a70_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\41f8d75e8978ed377acc0f3024a64a70_NEAS.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    88KB

    MD5

    3cf5d917a060684a9efff3074b149e97

    SHA1

    45fcfff1a3c4433d4f4fb4e51ae0fe25228066ec

    SHA256

    3de32c2e9033517203ad77ef7fd349322ad359972f4a11d2eac581bab5fca96f

    SHA512

    7cb1793a877f01a5516738412744aecc37c1acf8623d07e7d7939c5658d347be21c02a308469ff733cbdcb07f0653e085094333c35db74b0f12c852c22b503fb

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    88KB

    MD5

    ba4cf14dbafb2ebeaaf40af4b24a08c2

    SHA1

    933d2b7fd8701e7fda36998a95f04025f6737e95

    SHA256

    c838862420e04bcb5deee9a58876f2c1e62d7272a5fa02b499a49172b869c688

    SHA512

    617e03eff253a77825c93694eb78b14cfa8f1a379ded466265438d80d82332762f84b2c58e65fbdf047918ea79d0d1b4f5ad029d23b2b6324d9fb631996fd8ae

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    88KB

    MD5

    74da5271c5689d97e237c129bec1dddc

    SHA1

    80a57ba959bd40f6fa53f64d94fd1c6914f551bb

    SHA256

    8958900b4df9d582986f02d7e04312bc6ff140ad23db61d6e9e1b30747f7231b

    SHA512

    6efecd7791a52ce8e5acb98be83b5d1ed2708cad6d3d104fe703bb13146a91c1e8a82bf4b56eca8e4ee2ee412dc03cf99fbc1ae8823ba49e49ea6d78fd6e9efa

    Download Submit