Overview

overview

10

Static

static

10

ea4768945a...83.exe

windows7-x64

10

ea4768945a...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe

  • Size

    61KB

  • MD5

    5e1f7996331d7c63d518437ed335f68b

  • SHA1

    d4da47d3e22d3c6cecd81244223222f1e8b30e64

  • SHA256

    ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483

  • SHA512

    50c1ffcd2ffdcdd68cdb76c33a674e67d61a90b6c90b480b83771e33b830f2207d0e8281ac3b5abcc49343a07e65cdfbc0216c10fcdc42a96139b35674100a3a

  • SSDEEP

    1536:Pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZxl/5:ndseIOMEZEyFjEOFqTiQmTl/5

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe
    "C:\Users\Admin\AppData\Local\Temp\ea4768945a032acabd3b8db12e9d0c3ffe730ce946ed049f7c75222393223483.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    61KB

    MD5

    b60592ea831d8549f838d2c2121866f4

    SHA1

    b2c8e5bf83f701faf871fa7e292ec79563c52095

    SHA256

    d66a230a589100b8f7a5bf6bae3094bc6c1e1f12551e51d20336b71483bf8483

    SHA512

    a0deca5b401a75d55a64513041426109f25b3bb682080a5ecad965febc5f85636c4df63bdfea1c707e0c33852aeda23b02e68d5b3c2d2843546290eb56db07ee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    61KB

    MD5

    8cb3c839555c9e36c818a4c58f0c5d12

    SHA1

    d85e57ba93a861af56946952007d92936a6563f1

    SHA256

    22b1bdec83b83f802d410988c6ff00cadb7af761dc3fd44432e28928f5a682a2

    SHA512

    945df41c6e37725c600801612348d1e8bea6f05d82636f03e264aad3d3152ae836d3bf335eedc8371862f344f1a171c136e04c310da815cb321056635e3b1a2e

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    61KB

    MD5

    60ecc3280e134182e82759e7fedb626d

    SHA1

    f9a4608700ee0c4bbeb4475a3275ec80544f90a1

    SHA256

    1b76383720b4d214e60d10423a2ffdc9b3e61c1c87d4c0f69a040110222d19fb

    SHA512

    48ae1846fe2336ec290afe58a3b07a86ddada6376ee76ebd9133ac52950bee3bfabe17ac2325843c953b1b1aa63f59b07f6e51ea95e783f95fb603b59b0c5574

    Download Submit