Overview

overview

10

Static

static

10

431f90277d...b1.exe

windows7-x64

10

431f90277d...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    431f90277dd316dd665622f30ed4310fef03369f0055034224697f820929ceb1.exe

  • Size

    248KB

  • MD5

    23dc0fd56bdb2e4cc6d4cceb9ddc8b77

  • SHA1

    ee2fb718a051145e2f3a788298611e97f7f13e0d

  • SHA256

    431f90277dd316dd665622f30ed4310fef03369f0055034224697f820929ceb1

  • SHA512

    d5c8e2838993093abc4d4b7f43c6059118cddcf560613d238d9cdb140dff4ef306cb89c0b1797e2a218a7db96100c13eb2733ec41ecbb83346e3517ad154bd3f

  • SSDEEP

    1536:24d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:2IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score
10/10
neconyddiscoverytrojanupx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\431f90277dd316dd665622f30ed4310fef03369f0055034224697f820929ceb1.exe
    "C:\Users\Admin\AppData\Local\Temp\431f90277dd316dd665622f30ed4310fef03369f0055034224697f820929ceb1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    248KB

    MD5

    e1d97c12d194aa6f44386da33354c605

    SHA1

    ff3987e012241b075036ab295411f737d425570a

    SHA256

    d2b4646a85981ed53b0595724d2d680240941a92cd236682660f584839b7654f

    SHA512

    d9bb907ef7af7fd50633354f343dce89218a7fb956d3741461f17333f31505cca289abe3bbc9108182c8095cb71027c72cdabcb9ce6e0cfd11f0d4ad319b0bfd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    248KB

    MD5

    e5308768fcfa4d524b47915244dcfe44

    SHA1

    487079db842d91730031db0f07462099fc737c87

    SHA256

    48dd5ace69077abf24fa2fa8e76721a388f69908d28746d3258ac4f0bcf3d1d1

    SHA512

    96f0668ee1e6b5e8c0422753135c8d66ce6d94fa1b7210c31e88bdd1615a71740965eb207bf07fe9c760e85880b7f3f311debf08ff4e9dbb7e6ca8a2d247e356

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    248KB

    MD5

    6ddac15411077604bc5624f770f84b89

    SHA1

    340dad450318f200d43115ff8ebeae94770cb776

    SHA256

    0457d38852f1ec6c5cd61c38b59e1e4fc7ac4958b4fde12bb10e9e96cf6c4357

    SHA512

    6f53d35545e9fd54d85a907383eef6fd66311822254dcd6759c9c5a2636eb08d051f632aab3d34fbe78a69913477d84fcd3f6ec5c5e90aab72dc07f73bc7b633

    Download Submit

  • memory/2004-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2004-8-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2104-35-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2104-37-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2208-10-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2208-12-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2208-17-0x0000000000360000-0x000000000039E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2208-23-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2512-33-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download