Overview

overview

10

Static

static

10

2029d4e150...77.exe

windows7-x64

10

2029d4e150...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2029d4e150d9c92627f57e5a8b76410fb05a3586b89c0d71bc4500f37a66d377.exe

  • Size

    62KB

  • MD5

    13058928627ee64bcf607d67cb75f148

  • SHA1

    8355da69de99e0c9716981fba0826f4cd0b61803

  • SHA256

    2029d4e150d9c92627f57e5a8b76410fb05a3586b89c0d71bc4500f37a66d377

  • SHA512

    af3d91fdbc5244fd8cc5c9386de32236bfd56ed2be312de8cbfdc3a0eb2762525c9542108b202583604fc9bf706c8114f10719e8aebc763c30eeedfb9f4037c1

  • SSDEEP

    768:oMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uAF:obIvYvZEyFKF6N4yS+AQmZtl/5N

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2029d4e150d9c92627f57e5a8b76410fb05a3586b89c0d71bc4500f37a66d377.exe
    "C:\Users\Admin\AppData\Local\Temp\2029d4e150d9c92627f57e5a8b76410fb05a3586b89c0d71bc4500f37a66d377.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    62KB

    MD5

    4d806911ce56b7bcdff20ce18b65da04

    SHA1

    e6020328055fa12e13511efcd08736cfddb23032

    SHA256

    705c44302f74daba504611d347fabfe9e6718b7946e5996cb7c0677241a2208c

    SHA512

    89ccc997248a1f1008a67b5d1d33fd72b95247795139aa3cc73b90114c8dc12539a0e61b7e84443bbca35f35d2ed7e429509e938bbdda8b283014d06485f681d

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    62KB

    MD5

    22d57ffbf1c38bf6b605043a289e5872

    SHA1

    db8879653d810ca4b78a7623bd68d1fddf15d61c

    SHA256

    de3668db60b124383a598b44da05efedd4fa46bcc01d876f6a8a964b97713e77

    SHA512

    3f802e47193fd64fa2331f935489e41cb31bfce0b637fb6f1e2351ac7df722b459987284b06425a51bf255e8b0e7fbad8be0b940fa9af089152c7b34f8d7e1d4

    Download Submit