Overview

overview

10

Static

static

10

bcc5af1d89...fN.exe

windows7-x64

10

bcc5af1d89...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe

  • Size

    76KB

  • MD5

    5b647dd82c1776527855f4d3c60c0b30

  • SHA1

    254557dc05ab9ccad2eb427753ee3942fec0f0d5

  • SHA256

    bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54f

  • SHA512

    1094e6878b959ea7a7fd48f2115abb50b8a5215656e6e01edb503ec57e385e935453bb2066def63ba5fca5864e67ad828be5874c1bba92dc206d0281f1e0e17f

  • SSDEEP

    768:XMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:XbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe
    "C:\Users\Admin\AppData\Local\Temp\bcc5af1d8912040b234ba02afbabec27d98236cc6b1e622c3d91f8acefaca54fN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    76KB

    MD5

    062bf4070f214ceec3ad3e6db40cc9f5

    SHA1

    1aebac305383649c5d4dbb6552ee25d476db2367

    SHA256

    5350a4d697f4812f7f4676d3b85f52c83043f3d02188c35a1dc0efcf8bc4aaf2

    SHA512

    a924aa3476755c8714aff6d40d489e9284e85bc9ae8cd3459eaccde45c1f879c55f64c32cce1a5e3e2bee7230ce14c81079fb34ee0109e41a2cde74cda613b88

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    76KB

    MD5

    cdb844ce0ae20bec9c6553236a159353

    SHA1

    eee0812ced920180f0a64703dd7e753b352bdfed

    SHA256

    a986d84565b749bf6c6e957b3f1e10912ce12baa36f72e17f9d2f9add2a6a58c

    SHA512

    15689f3bd4473d7d705836bd88d5ed0da352111f0d914e2dff01c657b2d750412e0e082f183ab05b0c75920788bf471b3e8b9f95d6431a6f4ce973cc3f2d143d

    Download Submit