Overview

overview

10

Static

static

10

38253f09ac...18.exe

windows7-x64

10

38253f09ac...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe

  • Size

    61KB

  • MD5

    121e47853541cf15a1249c5580840cea

  • SHA1

    28161b7d82dfd76176f68784228dcd0cb938cd5b

  • SHA256

    38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818

  • SHA512

    c1d8bc14cb413ddaeae5ecfa93ef2f7faacd089e609f56a1fbc5c87f83e6e6c7660508f1bb707d007d0e21856abf82857d39eb119effe63ea9b31c567f23b9c3

  • SSDEEP

    1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5/:4dseIOMEZEyFjEOFqTiQmil/5/

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe
    "C:\Users\Admin\AppData\Local\Temp\38253f09acc0e511f93f4bebae5f29b06b70620a126a2e04e1e4762985fb0818.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    61KB

    MD5

    98ed742ba0356531fb0a83cdde90b155

    SHA1

    b8aa0011c53c862a00552ee48941565971711820

    SHA256

    7ed24dc5088dfa3bef027926ca64d95e5289469f23edf0d8cda8f6c67d937200

    SHA512

    459b0515d9af76715c25b76d0ee7aa64265a54770888c645271c7fad44831b1e9919883fdd930ca24f702b78e716c50a6a7eff0232b1f741dac22bf29d29b2c7

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    61KB

    MD5

    b3d0e3ddcb2b8e377bd055df48a55885

    SHA1

    e7d1a7634b0223b94921de4f28ebf977b01da421

    SHA256

    5176d3f4ba677e2b88044382ba88a716fafcdaa01929c77178d32c875346fc95

    SHA512

    809c05ad8e8900fa1a69a362223f82b3268b958f5ec926cfc36634a01d48ff3ade7ab5b56e433a676dd1f16d626cd2eecba21771e4e338812f32fef91898e747

    Download Submit