Overview

overview

10

Static

static

10

50362cf040...4N.exe

windows7-x64

10

50362cf040...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50362cf04080e9edcfbcded73d520bd5daa0413d7dc0cb95dfab6391f2507784N.exe

  • Size

    62KB

  • MD5

    017b49c92d7ec1e7c1bb7aa42eec5c60

  • SHA1

    67e3748765cf29abbefc1321a77d0d3fb8cebb56

  • SHA256

    50362cf04080e9edcfbcded73d520bd5daa0413d7dc0cb95dfab6391f2507784

  • SHA512

    27c60a8303017ac2e69700ded48d2763561b0fef8b3fd7740912a26938d3608ff9e36c619115453dbe1cdb7057445a7fe448fb50c071712e89fc3a6643f5e227

  • SSDEEP

    768:IMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uAf:IbIvYvZEyFKF6N4yS+AQmZtl/53

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50362cf04080e9edcfbcded73d520bd5daa0413d7dc0cb95dfab6391f2507784N.exe
    "C:\Users\Admin\AppData\Local\Temp\50362cf04080e9edcfbcded73d520bd5daa0413d7dc0cb95dfab6391f2507784N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    62KB

    MD5

    d7960ca7b8bb39549b78c8eb7c70f080

    SHA1

    5ff4d290bf1c1fa4d2a8d4210a81f7e9d5a88d5f

    SHA256

    3b342401d36f19b1591f04d22b53e30dac961e8d8dea9f69dcbf8d4512e51524

    SHA512

    5a114edf261cf61d1b376144b4907b8e42e7b215ad9ce6f35388a57a3669f8e5e06a9a4ff81e9f83f56713a353ea4634045363137689dfca2e3b4228a949573a

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    62KB

    MD5

    396e41cf7f3061b736d0674eab7172e4

    SHA1

    4489d24a7deef3bd91cf6a3584672b08398a6163

    SHA256

    cba4ebf1b1e15ba4e1514ed4680de4cbfe16536e8ab9e1f48e9eb5e7c9c54bad

    SHA512

    973024c00513d1401692061b293f74cd9a43e643f875dfd22d8ab114d0f59ac880e422c93a0f963640c345631e0737ce5ef7b00ca2dfb9becf74e57750f6776a

    Download Submit