Overview

overview

10

Static

static

10

7070841de0...aN.exe

windows7-x64

10

7070841de0...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7070841de014384b21cb6cbc5628968b71deb78d4943a8b44fcb03e7118f022aN.exe

  • Size

    64KB

  • MD5

    8ab619cd5a6d2f5d409c0abc95994a50

  • SHA1

    b3fce16f122dbfa4ab28a23880e0e04c6ca9ba23

  • SHA256

    7070841de014384b21cb6cbc5628968b71deb78d4943a8b44fcb03e7118f022a

  • SHA512

    25aa58d7d9a0001b6f8e6d61fc676e4b8e79ee461212d1b7a4ea7d835bca8b26c07a29a08a5478801b98651b4749f140f2f651586d3f6f3b13e93851a41f7f4d

  • SSDEEP

    768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:MbIvYvZEyFKF6N4yS+AQmZcl/5

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7070841de014384b21cb6cbc5628968b71deb78d4943a8b44fcb03e7118f022aN.exe
    "C:\Users\Admin\AppData\Local\Temp\7070841de014384b21cb6cbc5628968b71deb78d4943a8b44fcb03e7118f022aN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    64KB

    MD5

    b65d5e7ee2c0309b90cca5e442d8890e

    SHA1

    8ef14c8326ff968948a226c9e53f9be1ed9814bb

    SHA256

    62934102d6faeb7f83dd45dfb7b9cabe8b90e43a2533bc040262905b5571846c

    SHA512

    30912da8627d9be4feb34ad9a26c338d8189ce119ce855a090e2be9da7e5b957432528b58948d5e7ee3fc708d1c3c99f2bac919f54dcc905f5258f0939062181

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    64KB

    MD5

    3dfd2c61ea31b037196cb7c6ce9e0aaa

    SHA1

    911007a3cd0a0d41fb988dace5692a8dcf4e2a93

    SHA256

    5189550f5752bd12e847404bf33263fb427033f785839f39d3ca0b4dc88f2519

    SHA512

    928aac063807b0f964083415dc73b30950bfff31b4bcb9d5335320b94d5518f7d78f77fe4bb2ecec9af6c89adb23f794dd316d829bf06d0ab12253ed184efea9

    Download Submit