Overview

overview

10

Static

static

10

bda801d0d5...c3.exe

windows7-x64

10

bda801d0d5...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bda801d0d53c5936029edf47f063a60ad71e56642137d173daeae6a60ba9c5c3.exe

  • Size

    62KB

  • MD5

    e6f29ff7f16171c71bdfd16955855d55

  • SHA1

    9fca109edc006a88a1cc8404622c706ed4025b6b

  • SHA256

    bda801d0d53c5936029edf47f063a60ad71e56642137d173daeae6a60ba9c5c3

  • SHA512

    a3d40e0b7efeda7223599c72b141713fe032ca819e184460ea5b6d74c47fc8aa94b0cc55e59409f604b785c7eb788f5962e6e614be2f897fff17ec602d06aba0

  • SSDEEP

    768:dMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA1:dbIvYvZEyFKF6N4yS+AQmZtl/59

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bda801d0d53c5936029edf47f063a60ad71e56642137d173daeae6a60ba9c5c3.exe
    "C:\Users\Admin\AppData\Local\Temp\bda801d0d53c5936029edf47f063a60ad71e56642137d173daeae6a60ba9c5c3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    62KB

    MD5

    062fcb9a4d01c4c1f7ea4d3985ea22a4

    SHA1

    7e61344daacb9181013a0efeae829ef2d61d2876

    SHA256

    6978e06d53b8b5f2b944731634ac9f78ed1ea79106ef4522675e3207e5a52dd6

    SHA512

    b2e5217c79dde932fc8dab0a1a1d0f04d58a7a783997d3d738e642b1a1ac60461d66b3c0bcb582b4d8e5906ff665f595ec9f8afd77a37d1204faaec74af3bdd7

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    62KB

    MD5

    9b638ac4e1eb05a10abd0705bad51384

    SHA1

    2cae05b61617d540b6bddb01eb7a62db1a537450

    SHA256

    bd46a5a3ef13669dcc693118101a8f1f1b15e0190e3cc8cff8da34f89ce9ca3a

    SHA512

    70b67b6b461315ca05c4ce92cacbcf2eb3b0dc55dab653ad946ba8594ca86415405a7241148e40db4dc8dab86eae9b9b7f7b546ad8b8be6ba6fa909a57a0d8c7

    Download Submit