Overview

overview

10

Static

static

10

7174c661fe...24.exe

windows7-x64

10

7174c661fe...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2024, 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe

  • Size

    88KB

  • MD5

    f09c5befab2a46f95cdaf3621e20a5fa

  • SHA1

    12a837441fea6d04e24d3609ed906167bb0b37eb

  • SHA256

    7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24

  • SHA512

    f96d9065f4c98f52ce6d31261498ad2b3c1da84fa05d66510e3002f7605387fc8319e2a5c6068e8fa8bfe76c4d6cedfc6906f465d0247ed1d07bf536c18b3a46

  • SSDEEP

    768:ZMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:ZbIvYvZEyFKF6N4yS+AQmZTl/5C

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe
    "C:\Users\Admin\AppData\Local\Temp\7174c661fe2966bf811598b960e4118bd8b0f4264e9b20aeaacb7a8111188f24.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    88KB

    MD5

    8ca3ff1f4406904060453bc4b005212c

    SHA1

    d5a441b85ece1414968bee90d7f12a8403f62393

    SHA256

    819a452368dae2cb1f506f33a34fa2d3bf6942b1146258f72ebd641a69bb7b4f

    SHA512

    06c0acf40b431811033b18cbfb8fcc00fc02315184999589d3ce015e4fdbfdc2841fbc203d432f833e865f5768dc77e9e6461d09fb44d6fdce6b5372c71fc4dd

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    88KB

    MD5

    c47126b9eb1231c0c49aa3033244facc

    SHA1

    c6523b1ed470eb654d6843e408c2dcf47db2a910

    SHA256

    32b2d8523e6bc3a5215f99b9350f116e3d0410b3059034b706ac2416e48ec6c1

    SHA512

    f10fb873867ad7c01e2e9dbd1bf26fd6f730e27b04a8ec0af26aa24f4768a09ced27f0151b6904d21e5fa92b2a822091960bbf7e61e618ea3a5311d6e5f3d986

    Download Submit