Overview

overview

10

Static

static

3

fad67cfd3a...0b.exe

windows7-x64

10

fad67cfd3a...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe

  • Size

    33KB

  • MD5

    d3f0cf406da9136839b1e44fe2f893d4

  • SHA1

    50e893170eb84751f4dd73c0999a070ca9b76119

  • SHA256

    fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b

  • SHA512

    66aa4b677c1c928f48ddb67238b73ceb65231c023c515b8ce8c7b0d4cd8b0e71b66bdb12e074f9ed0f3a4cbf2762c91e71fca7b5c32d82555d11cb8907faae8a

  • SSDEEP

    768:LfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7Dj:LfVRztyHo8QNHTk0qE5fslvN/956qg

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe
    "C:\Users\Admin\AppData\Local\Temp\fad67cfd3a08bfb989ad9c02d48cd8f1c9399a8eb0da45bec336bc4312d5d30b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    33KB

    MD5

    bda0144dd27c24e62b4b297335b54457

    SHA1

    271a84cb22521148c4885f3363cfe83d74e9cd53

    SHA256

    c46ae14328aa619df6c3e20b4cc284af6187e314ffca154eb51d78316cc862c9

    SHA512

    5e704e914656a5d5ec7f3dfeaa7d5a8a1e5603372aa83574ae759585a8315d67228a8cb054bb45c22bde76b6edd6fdb134eb2eb4245dfc5432b989b450cf40fa

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    33KB

    MD5

    aa991d07689a14a8f6838b09870f98df

    SHA1

    9e2e9e5c511d627310d980f636c18a27c7619228

    SHA256

    13f74f481223d3d9bac06b2279220de85f5e4208dbb8ae46e5c68ef984c7fc53

    SHA512

    a7d0b55c8dea9a482f5c03632bd723adf21dc3d85b6b9c81627a53569748c9a83033afeab1967c85913dd7ad7ca8ad1c199fd194502c35a6eaecad5dbb47374c

    Download Submit

  • memory/1852-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1852-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4568-18-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4568-22-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4580-4-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4580-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4580-8-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4580-13-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4580-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4580-21-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download