Overview

overview

10

Static

static

10

a48854c6df...f6.exe

windows7-x64

10

a48854c6df...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2025 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe

  • Size

    80KB

  • MD5

    069dad5b8bdad12163efc02202980084

  • SHA1

    8f78016b6151df0adea2e245dcfeb695bc8489aa

  • SHA256

    a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6

  • SHA512

    c534c87d37c992de852caa3282d6bc1fac257a7bbef293c644d0e93bc20423b2cfd180d822321967a90dfe646528728a6f86e7b50af6e063f27c872c7f4cde9c

  • SSDEEP

    1536:ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:6dseIOMEZEyFjEOFqTiQmOl/5xPvwX

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe
    "C:\Users\Admin\AppData\Local\Temp\a48854c6df8ed4f5adc721e2160132756928fb3725f5babdd14bb0535f6deff6.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    1a499116d25692f1906357e558167ad7

    SHA1

    64040bb4b7efbba535604c6e0a63ff061a143553

    SHA256

    82c15929ac0cb6bda7e4957ef9703b3e182dd6bc69c846c81c79ef25f9292bd9

    SHA512

    bb00477a72276bb91af7f0deac8bfc1ea1ba50979da80ae0af0dbf13002c777898ed7f56f4f77602aea16ec73b4e4394368cb0ed165570d7595123de3f38cbdf

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    243f100da666e0a4b6d103b82934798c

    SHA1

    30060ab9df03460008f51d31b0a809217c982bfb

    SHA256

    32987d2a7b3079dd1f244228c650fccb3f48e8349c1d6a98438d3942acdee2c3

    SHA512

    626b8564c4ebf284713e4e887a67d3f652f807091077544f0ffae855d5b8e7f6e7a03fb04061f502a94c86356d2ae690d0264c6c05a208d0157738f5ac98ebf8

    Download Submit