Overview

overview

10

Static

static

10

c92ee3f197...f0.exe

windows7-x64

10

c92ee3f197...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe

  • Size

    80KB

  • MD5

    bc93bb37f28c88b63de5ae3e2dc14206

  • SHA1

    9ac40291bc4f21b7e32483a5450a994363a1b9ff

  • SHA256

    c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0

  • SHA512

    3f27bd6767254c3c2ad2eaf523f2c346362bfab90d25b6f6275af8169001987a395044673b80da2d09a5f8004c1dd62550044e29a968925ae54b718dae0b4361

  • SSDEEP

    1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzL:LdseIOMEZEyFjEOFqTiQmOl/5xPvwP

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe
    "C:\Users\Admin\AppData\Local\Temp\c92ee3f197858b201cd0af8ed615da27761b1129896675f041e0ed3e968e9ef0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    0f7b87df16a13c3d51b041d8d3f50821

    SHA1

    2bb1a47d6490d26d6412999d5248f1c73622d856

    SHA256

    b1b7ab280e48328dc92ed9495232033d7d9fd9eaef70b5c3e5e920e854ae5928

    SHA512

    d77bca55f08f254049ae2163b95c9f030abb3a28bc8b376262b0c84c13f4dca427ac62568a1fb8ae8616d2bd0e9e59fef907b5ae1901f6362d06a813088d9a51

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    0576c707b3807ebed94a779444699257

    SHA1

    caf669423c6552719adb68670972e496599ef89d

    SHA256

    7d547fb95f357a99fee347dc0373800d35893b63a1c3a1d99611041380993bc4

    SHA512

    d4da0cd4b16192b191137b112f4ba58dba68510227de41594ee9b62ec006748afe13e4f7a66f2ab40ebb7b2d7fbc0216f3f294e8ad275d83edbab40637137983

    Download Submit