Overview

overview

10

Static

static

10

622ee1be5d...aN.exe

windows7-x64

10

622ee1be5d...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481aN.exe

  • Size

    80KB

  • MD5

    7ff47073999fa2bf7d182d25da9848d0

  • SHA1

    c59e6d35e595dc21ce46845f1b34b39416cc6c22

  • SHA256

    622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481a

  • SHA512

    3cc4a35afcd1e5d7310cc7186e01c68baf3478ec1a1d92a1b68adb5089affe6f54eada4486ea53fc1466361d6efd2845e91f253a6db7654a5551718f010970eb

  • SSDEEP

    768:nfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAe:nfbIvYvZEyFKF6N4yS+AQmZTl/5W

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481aN.exe
    "C:\Users\Admin\AppData\Local\Temp\622ee1be5d2f40f19cfea8cb5b16b2ff1749e82cde559c70b095826ef7de481aN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    f2ea4f51b5256588615438c81c085353

    SHA1

    debfc847bf17854b35243d3f025a585916a5b193

    SHA256

    d7a48273ce9d8b77ef72402e204c26115fa003412ef6d6679cd73d1b48f3ad5c

    SHA512

    37690d1750ef5a88a66721f371f3c134776f973261c2e5702c8ed239ec2f2eb22e0e85d7e7abdb54b2d2080e3921d3d36b6dbb309e2f42fd600eb3e67510deb6

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    e347afa015f81823ddf61bdbfe3bd5ee

    SHA1

    1d300d8a1e9b96a0fd0b31bd8d4bf0a08e4af4cd

    SHA256

    eaddf36bda8948ad674d579a5186436759ce6225739e25d0cfca66f64cd71c56

    SHA512

    7fd1d58d3ff3d8c1e5858d349d16f7a220688df4b5def7f3c93b0b7964745c9f0ba6402df26ec130f50715c697aced420a712deef5c2cb9091e6d54b0775fd9a

    Download Submit