Overview

overview

10

Static

static

10

432c26adde...a1.exe

windows7-x64

10

432c26adde...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/12/2024, 21:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe

  • Size

    84KB

  • MD5

    e1be79886e6f2041654f4fc69175f206

  • SHA1

    910f36d2b197e4e6b02c6d727a8558e09ef77217

  • SHA256

    432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1

  • SHA512

    317c23fcf89d49fea1f527a5133e992db09d60484232f10835f12cbe75611ca4c15297661636948b08e30c9dce0fcf8a86972988674153e9f071db8386077139

  • SSDEEP

    1536:Ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5z:gdseIOMEZEyFjEOFqTiQm5l/5z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe
    "C:\Users\Admin\AppData\Local\Temp\432c26adde146901ccb18dac77a1339991bbf39e8ab34f061eae6bfd0c5075a1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    84KB

    MD5

    8e689a129eeefb32d8d710a303d8031d

    SHA1

    199bdfad5e9d6d0f25d912cf86200085b6ce6143

    SHA256

    ff2d97db9727efdc4ab58dbcd734fe4109994d4467c754b994e15613078ef3b8

    SHA512

    d67b1f7f3708dcfe9d899fa2b190baf31b41157fea2d766af311cb510de1dd12a3075a7e9da7e50f518ef7adc6cfa95d27a1cba38c4ba230333b08135901d45c

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    84KB

    MD5

    d7a4f8df5f29547972cba09e3a5179f3

    SHA1

    6d6bfdac4c9aca66d5c45e585f2ee9e35974fa98

    SHA256

    87ac9391d495c2c5b9c7c9a50928a1cb881194a9de280741c522489427965b51

    SHA512

    32b6d3e14a6f7a232721c2abde72ba4682b7c0f004e5f24c0e1b1cdb3b3ac661cc53f72b0a0d25881bc9576d7fb0d64571b5e5fa3f03f26afd32f65c187c1889

    Download Submit