Overview

overview

10

Static

static

10

e537f82853...9N.exe

windows7-x64

10

e537f82853...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e537f82853fc38f40be7ca49f70d9245cff7493d16cdc0be2e86a06e0bd00529N.exe

  • Size

    76KB

  • MD5

    00d16930a144917507707786dc2bbc30

  • SHA1

    be02807b052fb45288482b5eaf5e67ba6114690a

  • SHA256

    e537f82853fc38f40be7ca49f70d9245cff7493d16cdc0be2e86a06e0bd00529

  • SHA512

    b55eaa36e1e14fc61b909720f82da9c8aa243cf25d7111b7a21d4700bc59d09f3e8e8b0168ee52d20f71a0b206519cdd3b3965cff2f26e52dd3671279edfb676

  • SSDEEP

    768:3MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:3bIvYvZEyFKF6N4yS+AQmZTl/5O

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e537f82853fc38f40be7ca49f70d9245cff7493d16cdc0be2e86a06e0bd00529N.exe
    "C:\Users\Admin\AppData\Local\Temp\e537f82853fc38f40be7ca49f70d9245cff7493d16cdc0be2e86a06e0bd00529N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4932
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    76KB

    MD5

    902d6734988ed142ba924abfd4dd5472

    SHA1

    4d3392aa9d8474b9ef1e04c4c62075d943bfd631

    SHA256

    10047682e4ee67b7d3b1175d0154dd2772f8cf28e618f774878010eb725ffdb0

    SHA512

    edf68dac2bdec249470f4c9db5d03464c71e588946dbf8fe8535988cff53568aed6268d27344cbfa5fdd15e4dfcbb75ffbce21e065c76d1ae40acaa4d032405c

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    76KB

    MD5

    301ab65db719597be8523fb5d482dede

    SHA1

    67afb398253bac2973b3ebcab737f0273e9095f0

    SHA256

    eb6c6e83c7af2a7bbd3efa606c22687dd00bbd30e5563b43a2c6057aa265e100

    SHA512

    38021e34a8df73ebc65456b12c7c80423e20d75e3566922f1fd4fa6e25892a545b1d5aab90f63b44324d6d9ea04634007921350b7c006b06f80014ea87df0b36

    Download Submit