Overview

overview

10

Static

static

10

088e0fda49...08.exe

windows7-x64

10

088e0fda49...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe

  • Size

    76KB

  • MD5

    f258e3204bbb59c6cf0d5cd73e05df4b

  • SHA1

    bf6d6beb5dc195a2f028b834d798f1035159dcdc

  • SHA256

    088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908

  • SHA512

    8117b42d31c0442addbd70b5d7125ec4354e51e3013eba1ea658fe9769e86c3a7e674c7de5aa54a9515ca6fed8f938773ee1f7e94b98dc1c9a7f4a52d5b59f59

  • SSDEEP

    768:AMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWD:AbIvYvZEyFKF6N4yS+AQmZTl/5OD

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe
    "C:\Users\Admin\AppData\Local\Temp\088e0fda49badfddc1f558291967ecbaeea54d6ec0a6ae7c05506381627b8908.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    76KB

    MD5

    9c4f25a36015f0679d067e532fe07e75

    SHA1

    b04734f9f29c84dbf65ebd96d6dc20d89fd45093

    SHA256

    6e6c6c232398e7f5998bf367705409ced9a4e1dc53ae2b239f3d9dc0fb8231fd

    SHA512

    383e6d679a98824e6bf695fee41470bc45c0df24afa2811e0c78831b87182be7dd9701c4b2a4f7cdf44a37a93e00b0304f6e94221d5cbabe6d242b0d7bcd0b5e

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    76KB

    MD5

    a4bd646fadb37583313fcbe0d095b268

    SHA1

    e969b5ebcd7bea1a3a68f4a655da07abda76880a

    SHA256

    f9f350429176be8b0627f8d3d7e43f980e6f81d828883e6350eb6c310e3a5972

    SHA512

    41a93361e8c799ff8689e6f5002999a1752b4b2e491a0c9eddc24070704401eaaad268f1b30dfcde1cad48e29f2dd49ba857a80568ce45b743e8853412d38c8b

    Download Submit