Overview

overview

10

Static

static

10

f1daacbe96...0N.exe

windows7-x64

10

f1daacbe96...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1daacbe962fb12dc51a1f0466fa5670N.exe

  • Size

    80KB

  • MD5

    f1daacbe962fb12dc51a1f0466fa5670

  • SHA1

    1985ebec38c09d9fea35ab15067ecb99e98d3b7b

  • SHA256

    910ae32542a2d2f9a5f0c8574b94358fe21b7a210af9feb7e8c327bcd7b58345

  • SHA512

    68899c73badd5b99fdb501901ac170f17980975881b52d00f194280f93fe0fd6d57b7a855464eccd1616738972e7a3ba2028a41999633c88ee1e7189b5b51e27

  • SSDEEP

    768:IfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:IfbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1daacbe962fb12dc51a1f0466fa5670N.exe
    "C:\Users\Admin\AppData\Local\Temp\f1daacbe962fb12dc51a1f0466fa5670N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    cfa53eda29f7e2082a78e4f830eb4491

    SHA1

    0ab9900706c4eb47cdbfac02d28ebdd531e38476

    SHA256

    c75106b2dba2db9069f3303654f61ccc3c95fe92533ae14d93907b02a200237c

    SHA512

    b9bbf1279ab0faedb2cb4f5cc01815e3bebdfae629f31518f0fd86592b5ee55b9cf3214f4548037023886974f14b1a45eeedd6e073bd981f89109fa6a8bc1d64

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    4dc84bd1b7050c9f59b576067e20d200

    SHA1

    430b922b69acac4660d7379762d85c4b569cd70c

    SHA256

    da349b9f9d5f3044e5ce2a30547fffa29d2c254867c0c3c5bb80db6c445488a0

    SHA512

    d15096b86364b8a8deb277056318cbf7a69bce346834efcd5178fc0bd796d21a53d480836e4c0b367ef9ae37041479eeaa17a8b232d9407f6a1b664bec9f3f17

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    8a258d79272d7828fdcc025d4a97a81c

    SHA1

    d82d1afb3e6472add94f4e37990460ce9567c99e

    SHA256

    d127734c477dad20d3b5d4f50f6e924a7770edd14ec653e4c0db8fd78fbdbf4b

    SHA512

    8344dad8a794ea838cd74b321b7cd8557013455d05260fd974d99224f68cbb17cd4bb0d409fe29146f7eb4a73eed933d768a96c0391cd0a2aa56023a59c99a01

    Download Submit