Overview

overview

10

Static

static

10

89e5027a99...f5.exe

windows7-x64

10

89e5027a99...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe

  • Size

    61KB

  • MD5

    017d109c5cc843b13731af066ada150c

  • SHA1

    b8f708f3c21a4766ca1283de3ad9984e59ef8a03

  • SHA256

    89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5

  • SHA512

    51de8bd5811b92b86cb23de784627ac264fcbb32f0a6761ee9302c77e33e8efbc97ce111b9c61db51f0d078b5166304c62ec946ee806a20b9c1339ac3a4842cc

  • SSDEEP

    1536:sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5P:UdseIOMEZEyFjEOFqTiQmil/5P

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe
    "C:\Users\Admin\AppData\Local\Temp\89e5027a994879e2dbfbdab11eebe0b13db42ac623754f54835cc0f4e19eccf5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    61KB

    MD5

    72045e347e684a9f8ea8d54f23ef1423

    SHA1

    83b9a622fdd7c59d1f8db40a794c721ccbf690b5

    SHA256

    6f5a4fb2da77ee9325fcc3f3e81d51458abca28eee2e44707fa2fb102e0eca2c

    SHA512

    f8390f0f137af470effbada92b03620e19232cfc1a94c48058033a3063c476756daf1c30caea9e34a05bdaf4a0168ff5fd490c739a6b0cffb326d6b25d1b506f

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    61KB

    MD5

    49e706e6530e2a001d64a00a0366999f

    SHA1

    1bf9908a90a647995a602cddcc09a78e6da12ee5

    SHA256

    da93d098fd8c1ba7d6fd4bd393912a53d987ee764403c4ed910ca57417081085

    SHA512

    0f897e815565b3d3bf0cf61830f8f4c4fd019269938b0bbf60d6163cea3c050ceb3cd772a738cb8b5e830ad43c916b0b1612930b3a8b78f0a67b83a723a0ee9a

    Download Submit