Overview

overview

10

Static

static

10

b7e0fd4ea8...74.exe

windows7-x64

10

b7e0fd4ea8...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe

  • Size

    90KB

  • MD5

    7af9b5ceda1e9d155668a9e6008d3b59

  • SHA1

    083e8c8c047248bfa49b0a74024f2564074ceef6

  • SHA256

    b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674

  • SHA512

    551147b5165da5a5f9312cdc7a45b57377fee556207ac393753e02178c8ec5c4bfa30a30d0f3559bb19fc0a664071ca377d0484ee792045eb8258c6e141bdfa9

  • SSDEEP

    768:UMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA+:UbIvYvZEyFKF6N4aS5AQmZTl/5W

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe
    "C:\Users\Admin\AppData\Local\Temp\b7e0fd4ea85be35f101afa84e8fa05112821dcffc32d0131cc203b368b5d5674.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    90KB

    MD5

    1b8b4f6d30b6991352daddcc67925a90

    SHA1

    b646ddf45e24c0b995276d18117405dca887f738

    SHA256

    0dd72a483722e2bd430248375555909349d24c92e83a119587da60ae70c8e34d

    SHA512

    536fdbd07c225f90eef652107820aa89a11218a05ae0be27c321e841fd2e9ffeb7353f2e9e909284e046bbf33b87b38d9be976d0a9c61ec4211d1c996def1f27

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    90KB

    MD5

    af5bb426f8ee27bca4be5a96a0427f0f

    SHA1

    9700cdb94ed82c9d3606a517d396540fd0b4acc0

    SHA256

    ff2c501d50c6da761d543af1848bee323059b2835609924e72aa10117b851d26

    SHA512

    d36452c25ec4d183bcf04e7c9bede891da63cf846bdecd9ea8bb036a1dc36a0a08328e1e30afcdf496fdaad5ba430d42af96dd609efe9109a967ae38dd4ab781

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    90KB

    MD5

    bc7f0d8d7423d31119272182a72e7f09

    SHA1

    82cc872c170d62978d5f813d84eaf5407845c56d

    SHA256

    4fd3e7edede6c8f8d1e5cd0b20603d797fccce3ea4e0ee996d626742f9f83333

    SHA512

    b0773e688e51bac8ff9933e9b44901e9ccd725084122a856512e37385025c315c538a63bc78603c8ed9f5fdb6de97b51685ca6c1610cd0b222a98d92862a798d

    Download Submit

  • memory/468-4-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/468-7-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/468-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3208-18-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3208-20-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4468-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4468-16-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4656-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4656-5-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download