Overview

overview

10

Static

static

10

1bdfc8bc61...e9.exe

windows7-x64

10

1bdfc8bc61...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe

  • Size

    62KB

  • MD5

    3dcdb2d1d4ba8dfb3a9d6fe0b1b20e75

  • SHA1

    bd322d374d7ec59ce7994fefb808ab42e51ea521

  • SHA256

    1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9

  • SHA512

    5130d0939b8336d13173c97dd6720cc61d27d24ec5afc73fcb274c180843534052e09d30e4672753f8a8687fbde935ced8f6a961103bc4b6dd32c357aa673f93

  • SSDEEP

    768:sMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA9:sbIvYvZEyFKF6N4yS+AQmZtl/5l

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe
    "C:\Users\Admin\AppData\Local\Temp\1bdfc8bc61ff3f0ddf6997276319dd8d087fd8ca6ede5fbb9d5637f4325868e9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    62KB

    MD5

    4b9c29f26ead3b6be3c2066dc511476d

    SHA1

    a1cee8ddfaeeb934bc2c2ce6c2a268ca5254955b

    SHA256

    02716db5021493b91fc436ae05ec3cbbba7586b646bcb6fc1b653b39efcaa7f8

    SHA512

    0d2aa4950d09450ffaff88edbba451e41dd177205ffdca787bd5197fa47db2cd5706dc2901526642bd3cdc9ac99d5c60abf6bea0e5a583da91bbbdf88513002c

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    62KB

    MD5

    613aa39efb8214a6541a79261a6797e2

    SHA1

    8c8a1a7c4cd0c5dcedf417f093c154904d4cb863

    SHA256

    9bc5128f090b2e04f154d37625051282c4cd16b51cbf53a1b3252f3a27a4cd46

    SHA512

    915eedf4b7a50dfacf57bdbb3e36932a83dc1f53cd78a08da482fd2a1a5dec3922cde9b050dd08d929c5587f3c11ee0eaeccafe86de94d9f07ae4e40e54ff2a2

    Download Submit