Overview

overview

10

Static

static

10

ebc74c0463...6e.exe

windows7-x64

10

ebc74c0463...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe

  • Size

    61KB

  • MD5

    30b78332b12da915a353d82b9707a34a

  • SHA1

    fb10fb84b936d886b18b8b1d7880b5f681ba6dc9

  • SHA256

    ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e

  • SHA512

    3e7eff7aa24b70c927b5ef45caa87249e7de55c8f7d672c1923793b1cdff779dc4536a61854b57c4794f3f4b2abb1797451524f6e2d6e94d9b6c6e4b6417d786

  • SSDEEP

    1536:nd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:PdseIOMEZEyFjEOFqTiQmil/5P

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe
    "C:\Users\Admin\AppData\Local\Temp\ebc74c046332585238d2fa83ba8ffd7a9a1ee699ecb099e1849daf4b2b1a606e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    61KB

    MD5

    c7f133d46260b0777bb0d10892721846

    SHA1

    cb69e6fbbba918aae93c572d1f42fb58da4f56ce

    SHA256

    a8699ba45839404d5817dafeca6ca7f4ead6f6b57f295b6d7de100c8f127ee96

    SHA512

    a81ced56da8c787e60c5473564490ffe40a00a813784ea219860670f54de1f2e48d84ea8ce5b92545bbffa8c1ca79d6a3a793673a6a05a1f71809e7c73e853a9

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    61KB

    MD5

    448e9f254b6411a10ec4bbce6b847b01

    SHA1

    558c2501ba3cc341aa67caa8da88566922ec9c8b

    SHA256

    07d25be2d4fcdcb13a518e0b5540e480739d786f901c50dd5e1d1941f9c3ef7d

    SHA512

    29f4c0b91004e706ac05fd2c3b2b861bd8738b536c1c3345dfb9b2c66f1a6e7613a04fb665fb45544f49766d35c177a567f3a208f53ebd38fcb3f58c1a3c8a2b

    Download Submit