Overview

overview

10

Static

static

10

ce0b4bc043...0N.exe

windows7-x64

10

ce0b4bc043...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2025 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce0b4bc04397fc3758d1771743ab780c223dccc5568314322f3b2a6d89bebee0N.exe

  • Size

    80KB

  • MD5

    aa2c94b3d28aaf7ca6f821fa6af68f60

  • SHA1

    3a027ee21bfcef356014604a39f98c7e43a596e6

  • SHA256

    ce0b4bc04397fc3758d1771743ab780c223dccc5568314322f3b2a6d89bebee0

  • SHA512

    138f2c981bdb55cdb68cc51de351bcec33a94fe3dce26e038af43ca4515df9853db03782002a02ab54476b5a4bc748111a30abd29d6bc05a296d83c1b5bd48c9

  • SSDEEP

    1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:TdseIOMEZEyFjEOFqTiQmOl/5xPvw/

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce0b4bc04397fc3758d1771743ab780c223dccc5568314322f3b2a6d89bebee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ce0b4bc04397fc3758d1771743ab780c223dccc5568314322f3b2a6d89bebee0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    9a3f4ce053739fbe71656b440fb05fd6

    SHA1

    1e38e301a217e1f8656d20a04347ac6996e22df5

    SHA256

    76c5433de52b898b3fd7bf9b7b7f460ac97b1cc453908d097227720dd764ce89

    SHA512

    5446f6b4467dab9b8606ac605959cf677c0ef8a1b1592002b49c58fe6eebbe1c0862d362b3c40d3d1c24f47327d7ae77e4614a692706651a60e69634c094590a

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    ed0046b5a24d0756a7c426d30b3dfaa2

    SHA1

    8b7007b12b8b5b3c3195fdfef693f65ac6bf57a2

    SHA256

    cc74cc71f759828c98e873e9f094626cea736a6f5a44474f1f6a069baa3f4cb2

    SHA512

    a06c0f453aacbc8578df842455025719bdd952ce72b4ddc61a19db97a117566daa5877b7fd107fa124a5661bfb6c079979185bf50ac3a0e96a12e11ac173df8d

    Download Submit