Overview

overview

10

Static

static

10

8891257eb0...6N.exe

windows7-x64

10

8891257eb0...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8891257eb0c5f2f5174bb4d8263576f1c3db1ef337c1995970b12471d80c58f6N.exe

  • Size

    80KB

  • MD5

    4affced65f7e21ae8f762cdec29cc000

  • SHA1

    f97e21b5cb05ba69532165946d39e52d0b57025e

  • SHA256

    8891257eb0c5f2f5174bb4d8263576f1c3db1ef337c1995970b12471d80c58f6

  • SHA512

    580ef2762e6038af7534b5a355bf00dfb5b82010cdbf949b680d603b3fb92f592cd3dc6b7c4e4885b7d3a247c0e29acf97c51e62fca3428f2e04e0d5113574a4

  • SSDEEP

    768:nfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:nfbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8891257eb0c5f2f5174bb4d8263576f1c3db1ef337c1995970b12471d80c58f6N.exe
    "C:\Users\Admin\AppData\Local\Temp\8891257eb0c5f2f5174bb4d8263576f1c3db1ef337c1995970b12471d80c58f6N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    5c58e89f87ffd1d95af7d093fbd0b5fd

    SHA1

    381e925e58de768820a291c4287459888a628276

    SHA256

    fccc725c756d1d604aa4ac05e03c1819a9fab158065c3b7d7158b99f8440d4ac

    SHA512

    4dc7f21be34a78b7b386eb4f305ceb597ec257463b627729f75faa727749df39b57c661bd7ba2cac440b898e61690b527eebe737629e8676ddd552d74a61d3e5

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    26bdb1271319415d685692a4ed0838ed

    SHA1

    039dd0739402d0a8dfdd96cd52fe47b27b0027d4

    SHA256

    6ec026cdc9605cc918b65776c1f6c0fe2702170759debc8814e887ac3b0f3d4e

    SHA512

    af4dfbd27f68ba36659b8e916cf7d8a183cd944774519f721763d39f09f252cd2028305954654ae8f7d1c409beabb1848d2cb18df34292f3261c43dacb6a2530

    Download Submit