Overview

overview

10

Static

static

10

5cf907c0ff...fN.exe

windows7-x64

10

5cf907c0ff...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cf907c0ffa72b523dc6ce94e687ba97de983577b4e76cd0324a4b893d12b15fN.exe

  • Size

    89KB

  • MD5

    4da82766ce647732f535219d482aacd0

  • SHA1

    9bbcbcc011b588d0bced8cfea65780b35d347389

  • SHA256

    5cf907c0ffa72b523dc6ce94e687ba97de983577b4e76cd0324a4b893d12b15f

  • SHA512

    ac57bb6455f9ea1f5f68bb8981591c7b87a82d5fd34f90cf84a92694a4c2532d305407f30b6e3f8150b1db466e6c81540f2d232263251e7210af7b306c023afd

  • SSDEEP

    768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:4bIvYvZEyFKF6N4yS+AQmZTl/5d

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cf907c0ffa72b523dc6ce94e687ba97de983577b4e76cd0324a4b893d12b15fN.exe
    "C:\Users\Admin\AppData\Local\Temp\5cf907c0ffa72b523dc6ce94e687ba97de983577b4e76cd0324a4b893d12b15fN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:692
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    89KB

    MD5

    43885c1419613b129193b132f206f4be

    SHA1

    cf5ee2ee9838bb4a085f85ed164d88f93505569f

    SHA256

    5cd2e0fed6fc66e5fd3b7a083922be53e30b9bbb5c90fd048a91dd5a8c7c9c08

    SHA512

    7955c6cf0c4a7e336c00676a004d92b13d95ae57b8310201ba93f69b3806e13fc611b98776e7dcfa7ebacf4d0c480a331890dfd1360bbc9a919b06003d9eb83a

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    89KB

    MD5

    06b63743e728e8df85ac4b4a09d661c0

    SHA1

    03a5cf8b71ea0a8d24f34dddda51ff7dfaff046b

    SHA256

    bd038f42351cee8c32a1c89c5e08b3160f1c25200f6046d8b805740a73c8963c

    SHA512

    c86877ea9cf53ee723ea641aef711a7a0c5357f74c35061578dc5d402d202f22a7e7872453ecd3b31802dfcaa00fb44bc9bdccbde1f68b064839550e89404e60

    Download Submit