Overview

overview

10

Static

static

10

cb1e09e30b...5c.exe

windows7-x64

10

cb1e09e30b...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb1e09e30bb7273880cbcc9927e5d02b4f4fe6e25d0ed8dec47df6a78c70945c.exe

  • Size

    72KB

  • MD5

    87d057b93a2301e8de8bbb1a495e9b08

  • SHA1

    bdf58c03ca185b5821f08509a30d496e88e0acf0

  • SHA256

    cb1e09e30bb7273880cbcc9927e5d02b4f4fe6e25d0ed8dec47df6a78c70945c

  • SHA512

    69d0106842aa4c88abfa8d4da87214ba09527446a493d431b2f690a5a1f6fb5671ffffa28cf25dd84dc206001b5d8cb9b9f0f79bf637e5f5065b18f83cc7bdb6

  • SSDEEP

    1536:hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:RdseIOMEZEyFjEOFqTiQm5l/5211v

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb1e09e30bb7273880cbcc9927e5d02b4f4fe6e25d0ed8dec47df6a78c70945c.exe
    "C:\Users\Admin\AppData\Local\Temp\cb1e09e30bb7273880cbcc9927e5d02b4f4fe6e25d0ed8dec47df6a78c70945c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    72KB

    MD5

    b65894502ecf2b5f3937259eb5301615

    SHA1

    0cc95adb325e604999f74394b2a865e787d9d554

    SHA256

    14e40595887be53d37d1356c2615b13bd991c8744b0f277799ce0072370d23bb

    SHA512

    479d2b14ab2d2081b444550b705af92f808ae721a840e346ae64116025ac84e3a5c7f85d97ee895469885d9bb5a9419868d5f3f6e692f78969d6a17bfe03116e

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    72KB

    MD5

    d07ffc98e6c17395d977b692e2a4edc8

    SHA1

    bae96bb02b905a51cc1ce176892899c89addf68e

    SHA256

    c3132177d125222b22a1140afc7e9ae0cfe210f2fda38c430da2f17074a15fc7

    SHA512

    f5bcfe3a9ba7f50f94eea1cbeba24adb3280e0ef02310b4ca4141046f3ecf8f99ac3fbf2a08d3a6b56a04dd2c6e9740c1fc53c2061becc591545eff5914a14e7

    Download Submit