Overview

overview

10

Static

static

10

08d828aeb2...4b.exe

windows7-x64

10

08d828aeb2...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08d828aeb27484f2d29c2dacf522e75c43ceda3afdd64a0c79e76a28bb32724b.exe

  • Size

    80KB

  • MD5

    bb7172d759a55044a6a5b48b3ddab5b6

  • SHA1

    dfae366a0746891116f89d849fd7764b4fa04abe

  • SHA256

    08d828aeb27484f2d29c2dacf522e75c43ceda3afdd64a0c79e76a28bb32724b

  • SHA512

    aa713b60144290da3f03abf22b44e3259c14358f8184159e22bd295dc00a072ec02d6d2f3e09c67360c05f7c83fc44ef99435187eb90c9dd0e9a16a46cd2cfbc

  • SSDEEP

    768:6fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAO:6fbIvYvZEyFKF6N4yS+AQmZTl/5m

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08d828aeb27484f2d29c2dacf522e75c43ceda3afdd64a0c79e76a28bb32724b.exe
    "C:\Users\Admin\AppData\Local\Temp\08d828aeb27484f2d29c2dacf522e75c43ceda3afdd64a0c79e76a28bb32724b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    a91c0a3f46f02fbb086e70863d4e5e2d

    SHA1

    9d36857bdb707f126fcb78aacc15d5ae71a82d4c

    SHA256

    968ced0e3e046a664cb61c634dab1ea8220107296ddc038e2c26578dcb36ba99

    SHA512

    6baba55293ab09c76359d19f374403ca9c1ff3fbec5bbc40233e257ad59bf43d9501c5ae4e2051319b3b5dabea8b8881fb957757d7dfe0f7082fe2898560d37e

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    86cb54d559060260d5263d451b8fbc9d

    SHA1

    0946d5181f6640b38aefe8db9fe406569c5b89db

    SHA256

    6a50e5f95b94c8c63754925bae58f4ace0c6d96a1b33a79e5e947e54eab8eca5

    SHA512

    a34ca81eaea0033b0617f8b52a54b0327953415ee6c9138c6b3e23691cc7eb318168142c4a4d2a36a88a14993f31c1845d9ccb27451a8758a5c91a0adc58712f

    Download Submit