Overview

overview

10

Static

static

10

a779dd1197...7b.exe

windows7-x64

10

a779dd1197...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe

  • Size

    64KB

  • MD5

    5ffc544c383323e6b8417076eab27ef8

  • SHA1

    2c3476521e6833ec97f792a504768f4b2c47fea0

  • SHA256

    a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b

  • SHA512

    85695a434eebfe2a8f9461ed00dc80e3a57cb1e81263e8770b658d15ff1b486436331c8f7cfb1111f6cc68d55f2bf58857b68737457e9bf5a1663618edeed852

  • SSDEEP

    768:7MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA1:7bIvYvZEyFKF6N4yS+AQmZcl/59

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe
    "C:\Users\Admin\AppData\Local\Temp\a779dd11974a79d4b673067b00b262504bb8b857d7702a7f14da4d98c829057b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    64KB

    MD5

    9611035f9700665b6bb653cb0e7d02d0

    SHA1

    911417cd749d30ce22a38955e89122ead423e852

    SHA256

    fb9b803e22cb301baa262cb60636a9c2e634f68e79f5b99e5989f254aeeaff0e

    SHA512

    b44fc12d0dd87bca5f8db9d027d687d726616357c9c1ea087ba98329d74ea5f50aec8b935189c430b2d7d67494123881420306dc9a434f79e2a225b030d7ba28

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    64KB

    MD5

    5eb2f3c5219067f8b352d5fae6f04c90

    SHA1

    1f2a35f326c59779b727a8399079ec2689e8a23d

    SHA256

    7a27ff7bfceedef097073b3d23c8240e91b1db4c5471d5e4a8337208e495fb9a

    SHA512

    9a54e248acd9a955f594c95c2bead6769b0eec801ad6a7c28e97367a275515f03bc66cb29bc275181111c23e15f0c8c573d55afd2e1b6fcb076609e4b65ff9e9

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    64KB

    MD5

    ffd3ad65f85344012adba84e8d4d40e3

    SHA1

    d2853678b1a05e371f58e2a809097c07c6781cc5

    SHA256

    32ff7c0a425195e97a6547ed52f432dbc1055778949ba331818508c43b39088a

    SHA512

    377839098fbeb8982743f801c2aa0905d95568dde7d66117d5a13f5808fa17f228bf4cbaeff13e14ef54916ce53afd16e906ce990a681f5da100e55b5c259be8

    Download Submit