Overview

overview

10

Static

static

10

c509517113...cN.exe

windows7-x64

10

c509517113...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe

  • Size

    64KB

  • MD5

    250304d8536ef4f7e2080168868c29c0

  • SHA1

    26a0314e377a55c5ca1ee55f82462fea9a616b36

  • SHA256

    c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bc

  • SHA512

    b5c883bb1af3bd61277a97ae9874b8d1662d3f4fb60420b3fe7cb9efa11224ec24d6091dc973b2b19dd5e08a199eeb6745a5689c00193f997acc80049b87e0ba

  • SSDEEP

    768:OMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:ObIvYvZEyFKF6N4yS+AQmZcl/5

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe
    "C:\Users\Admin\AppData\Local\Temp\c509517113bafdd47e35ba311f40533791dcfa57d38315ff41edb26c8ece84bcN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    64KB

    MD5

    9cca6ef43f2a73bd1b71f57f7ce78753

    SHA1

    498f549bfb043c27601015ea0b399aef2ce74219

    SHA256

    dc0213da4e169f53ed0643a87606d547b8c20a664a7ac1b2474c854eae013809

    SHA512

    e0e5db392a84ee63ab844f750315d8c13569d51a6dcb91652200eda90f23a0d271f4b8f56af6cb4ad39aabb0a5cb3472556e6bd6ae171e5d85bb0d268624fdd1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    64KB

    MD5

    35ace95d9a2d896e1353fa1f463bc9c5

    SHA1

    657e449797fd6ed62468b4a4d0aea7b2b191e72f

    SHA256

    8746506809e30c56baee54814547ce680af691d7fa2e2acf15870bf6d2d65c57

    SHA512

    d8a06beb4b018c72bede92cac715a3f803c5e4bea5e67e8a9f11e585d4d543875efe15bdfbcf239b72870a52af4a98cdb39fd5654f657101a0a365ded1a6e776

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    64KB

    MD5

    7a741fa591c71bbe2584854f266e6ab4

    SHA1

    d9ead6b2ad9211143fe87971db1e9465db371ec6

    SHA256

    87a4d4e6ea46090c2f0364da2187d341528b03f3588773604b0d0bfd5f7be441

    SHA512

    749fbef41b19fc603212ecba05f0f3c67cc3e107f7eab269c6e442482587d7f7aa8556986dd21c6ad984ae82bcdeb1224adef091486a3b4a5ef83838461a2ff2

    Download Submit