Overview

overview

10

Static

static

10

7b5d185be2...8a.exe

windows7-x64

10

7b5d185be2...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b5d185be23630ee667b35b00d898bed834b0f0a170b7f11157145f7e030818a.exe

  • Size

    76KB

  • MD5

    56080554397ca8fb2f5a16c333bfeb76

  • SHA1

    9864307dfc7a84e8a6d45dc742f2cd6415bbb34d

  • SHA256

    7b5d185be23630ee667b35b00d898bed834b0f0a170b7f11157145f7e030818a

  • SHA512

    27189da3101a4b1ee18a0609c713b159e0b558d2229603ac23eea698f89cd77369b67c20003a5edf1680cfecb64388c24b74657c3c4d36af3a80cfdf628782cd

  • SSDEEP

    1536:ed9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11L:GdseIOMEZEyFjEOFqaiQm5l/5w11L

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b5d185be23630ee667b35b00d898bed834b0f0a170b7f11157145f7e030818a.exe
    "C:\Users\Admin\AppData\Local\Temp\7b5d185be23630ee667b35b00d898bed834b0f0a170b7f11157145f7e030818a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3444
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    76KB

    MD5

    256d29cda0188c5bf6b875791f283543

    SHA1

    438374d69070c0d8d952ab0052fa97770e4d9a47

    SHA256

    50b6f3e2e20c5f33c94e2fd43c96b0edf9f246665e173f094bd8760b2593e1e1

    SHA512

    5cd7ab1d39a63ee787a72508decf93435c3667d8002c1fea61646a4927a99727adc7e5d9ce6f1b62f92208eb9665358127aab4af1ca42885f309bfc81adde576

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    76KB

    MD5

    deceb37af32a28fe04e1bf078e291318

    SHA1

    e90d0b18ff525b25d1dc762183437811fdb71432

    SHA256

    db2518a0afd1ce1ac8a7f28a8bc9464c8f319f8205ed1f36846ea1c97422ac5f

    SHA512

    c00899b183bfc9f16e2024861786ca73b78336f37d4088ca63c7b0f57e934b6703898b636656ecfc3b0ce4c85adc73298b34deb325c4ec11b24b6bc06ed08bf5

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    76KB

    MD5

    e7a95fcc42ead312dd7e4ef038b418c0

    SHA1

    6de6e6bb5e3dcbe6e457c3e5a5d2f236628410a9

    SHA256

    957eb81d2eac276cc3b41f38010551b2750b46466719b19893cdfe517ac93b04

    SHA512

    876710a5c6e516089339ef88b55b28a16afd6deda778695f1bda0a7b937da70dcc42c496d346cadb4d37d48f2f2d2caadc6a1ed8110c1cf2aeef70ccd6ba6ef2

    Download Submit

  • memory/1976-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1976-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2832-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2832-18-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3444-4-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3444-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3444-13-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4028-19-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4028-20-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download