Overview

overview

10

Static

static

10

47e9b0ca9d...a6.exe

windows7-x64

10

47e9b0ca9d...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe

  • Size

    61KB

  • MD5

    8b3e6e6a31fb8844e093e4cd4921895a

  • SHA1

    427f5a5d8e5ce3a2c6526c19cbc07a5c7db004c9

  • SHA256

    47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6

  • SHA512

    f300b4c2249658c1a403bf8e6210b70bfc8e449d1461424d0a6b0b3fac5c9d96f21ada30817977f563237554df353ac2d50441edd0d670c8432e07df12f5daab

  • SSDEEP

    1536:Dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ1l/5:jdseIOMEZEyFjEOFqTiQmXl/5

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe
    "C:\Users\Admin\AppData\Local\Temp\47e9b0ca9d0475e7ad980646da0548f9574d4f85835fc5459256b4232f9260a6.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    61KB

    MD5

    aee824f384ee91d264090ae728226522

    SHA1

    e8c0b0e3a82a78ab73a31e73980fbc59e7513bf3

    SHA256

    51b5ed4fe9f42595e1549a89a2b70e5b0620551f638ac9cdffe380bd60f75071

    SHA512

    a6d7bc800d1406addda0e3c5818f452f1cec5c360a259bade3b0eae56553e32733fa096554038947344a13658f9e7388813a2d1127028079ed145e38ee81780e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    61KB

    MD5

    9b93cb32d5abb4fbbffeea1403a06899

    SHA1

    a093778e2467792f181f29ae8a8090591708e910

    SHA256

    26b8f74802b7a1bc04f75a1a148c703092a3e62b55d11daa91b4d43436ac4752

    SHA512

    e9679c27059ffcc5e603e51629aced63caad463625caa8ab9f36b2e4965fbe76d2bfebaec604dcf6008cc6dc81a90da5cb102c1f1e1f3c3a6d595f6066852c70

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    61KB

    MD5

    41a39ade693184a404ec62bb36550c04

    SHA1

    d14784964ae60f460dad1c0128c430a14dd10afd

    SHA256

    6c40c5ac7e71f269a451d224e88ce989779c36a166366657581d7a87c585d0ba

    SHA512

    7589d78ee3eea2bc814d058de54076c3eae9687f33a43a0bfc3c4b1b184a61f50e77f4ef5e5d18444b411f21fbe34f70d32485ba46c476aacfb546696deeb4a8

    Download Submit