Overview

overview

10

Static

static

10

08d828aeb2...4b.exe

windows7-x64

10

08d828aeb2...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08d828aeb27484f2d29c2dacf522e75c43ceda3afdd64a0c79e76a28bb32724b.exe

  • Size

    80KB

  • MD5

    bb7172d759a55044a6a5b48b3ddab5b6

  • SHA1

    dfae366a0746891116f89d849fd7764b4fa04abe

  • SHA256

    08d828aeb27484f2d29c2dacf522e75c43ceda3afdd64a0c79e76a28bb32724b

  • SHA512

    aa713b60144290da3f03abf22b44e3259c14358f8184159e22bd295dc00a072ec02d6d2f3e09c67360c05f7c83fc44ef99435187eb90c9dd0e9a16a46cd2cfbc

  • SSDEEP

    768:6fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAO:6fbIvYvZEyFKF6N4yS+AQmZTl/5m

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08d828aeb27484f2d29c2dacf522e75c43ceda3afdd64a0c79e76a28bb32724b.exe
    "C:\Users\Admin\AppData\Local\Temp\08d828aeb27484f2d29c2dacf522e75c43ceda3afdd64a0c79e76a28bb32724b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    a91c0a3f46f02fbb086e70863d4e5e2d

    SHA1

    9d36857bdb707f126fcb78aacc15d5ae71a82d4c

    SHA256

    968ced0e3e046a664cb61c634dab1ea8220107296ddc038e2c26578dcb36ba99

    SHA512

    6baba55293ab09c76359d19f374403ca9c1ff3fbec5bbc40233e257ad59bf43d9501c5ae4e2051319b3b5dabea8b8881fb957757d7dfe0f7082fe2898560d37e

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    73e63f18de939a4030324f820c44a931

    SHA1

    3286313dcdf44ff86ba10fbdde136efbfbccb9e8

    SHA256

    61eb1f6913daf520fb2723e2bc2152596730c592a843217c70f748eb6f198dc2

    SHA512

    772e6d65b8c78ae645cb4a525fbcbdbfb7145775b3c3831a5c870e47af8085f705adcf20a27934b155c6a819854ac36ec264b7a7f4612b02c0889b7cb607ee6a

    Download Submit