Overview

overview

10

Static

static

3

49fcd6d417...a4.exe

windows7-x64

10

49fcd6d417...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe

  • Size

    33KB

  • MD5

    493ff34e77901f716fab30569f3128b1

  • SHA1

    34306b4a8a27bb745b8dfc769243cc762bd64c9a

  • SHA256

    49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4

  • SHA512

    16dbef0509ef3b4be44ab3e866b57fc4f782f2b9f280ee7e2bf000275adabe03fe9a7b76a9c7f4372aa7257f04237dfbeef676654fea95518f4bfd100d3b26ba

  • SSDEEP

    768:KfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D:KfVRztyHo8QNHTk0qE5fslvN/956q

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe
    "C:\Users\Admin\AppData\Local\Temp\49fcd6d4170626cba00ae03bb0f21b18e69a0058b87ce9548e15de9021399ca4.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    33KB

    MD5

    f92fc5e0628606295f6cd606c22117ac

    SHA1

    44dc0ffaba50c24431bce011255103c07790c587

    SHA256

    5391afaadd073bee9decab8bfbb45a74dffe284d692c1e74eed880a17b4cc1a5

    SHA512

    aebbd0544743f923f38cb8e1c8592d75e31f4d41ec9a6276937a256e62e85f0d8900a5e04a6d59f9e55b3ad9907b72e4e19c4d94365eb2caf52492b24cc2bd57

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    33KB

    MD5

    d789a03a8aed4ed528d8bb4d6b0808e6

    SHA1

    a44ef3fe1607a197af78e22d4797e5cff7058b14

    SHA256

    fc0bdca6a5b185ec0ad860ed84b8be7e690aea21340ca263050c93c4c0c61636

    SHA512

    0673972c0a3f3c6ba5229771a4dda02cf8e538d88bcb20336fb5e4d2682498d25bf2f9b02f93b8a620b800fd765b83b324ef708e1a7a382190f1ebd09c5fc8ba

    Download Submit

  • memory/1780-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1780-20-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1780-8-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1780-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1780-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1780-15-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2896-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2896-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3584-19-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3584-22-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3584-25-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download