Overview

overview

10

Static

static

10

431f90277d...b1.exe

windows7-x64

10

431f90277d...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    431f90277dd316dd665622f30ed4310fef03369f0055034224697f820929ceb1.exe

  • Size

    248KB

  • MD5

    23dc0fd56bdb2e4cc6d4cceb9ddc8b77

  • SHA1

    ee2fb718a051145e2f3a788298611e97f7f13e0d

  • SHA256

    431f90277dd316dd665622f30ed4310fef03369f0055034224697f820929ceb1

  • SHA512

    d5c8e2838993093abc4d4b7f43c6059118cddcf560613d238d9cdb140dff4ef306cb89c0b1797e2a218a7db96100c13eb2733ec41ecbb83346e3517ad154bd3f

  • SSDEEP

    1536:24d9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZMnOHBRzU:2IdseIO+EZEyFjEOFqTiQmGnOHjzU

Score
10/10
neconyddiscoverytrojanupx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\431f90277dd316dd665622f30ed4310fef03369f0055034224697f820929ceb1.exe
    "C:\Users\Admin\AppData\Local\Temp\431f90277dd316dd665622f30ed4310fef03369f0055034224697f820929ceb1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    248KB

    MD5

    2dec9ab61d5bed5588206c0d81a34552

    SHA1

    748f925eb78509a05affc0eb7becbe3dae172d31

    SHA256

    373a7f58087b1995a680e3711a47affd1c114b5eb46c1123066220e268ebcf6e

    SHA512

    c95e5208840b5d646a2a787307739d0c1563f56c73df76522f6550c7b307bf3a5b9f37b784d51f6391fbd0905a1d871fdae7d1f4a6b63b4da566da282caba669

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    248KB

    MD5

    e5308768fcfa4d524b47915244dcfe44

    SHA1

    487079db842d91730031db0f07462099fc737c87

    SHA256

    48dd5ace69077abf24fa2fa8e76721a388f69908d28746d3258ac4f0bcf3d1d1

    SHA512

    96f0668ee1e6b5e8c0422753135c8d66ce6d94fa1b7210c31e88bdd1615a71740965eb207bf07fe9c760e85880b7f3f311debf08ff4e9dbb7e6ca8a2d247e356

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    248KB

    MD5

    0f583236ea21d0acf5be9f5b58f9fd8d

    SHA1

    73895f3548e2d6f38d7379cf83ddbf506445c8f2

    SHA256

    77b3b3bdccd683101dfb5bf2e75c6889c924c46d0570ede544a59d091c51833b

    SHA512

    a005e4f601f7dfddffe35d0e9fa353e141964fc0c590b4c79e93dc13ac41aa66e626272ff578779586d65adbf0af2565e9b5bd663ed24219c7c72c14772b55c1

    Download Submit

  • memory/544-11-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/544-19-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2032-5-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2032-7-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2032-13-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4088-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4088-6-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4292-18-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4292-20-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download