Overview

overview

10

Static

static

10

eee2a6a681...27.exe

windows7-x64

10

eee2a6a681...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe

  • Size

    88KB

  • MD5

    ba22eee6c9fb329301817a2ecc56e943

  • SHA1

    bdd2a764fcbf8c16671c4997be14c013fb30f5be

  • SHA256

    eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827

  • SHA512

    73e46feb3babfae0ff107fe83f23ee9dfc013e74327df61f20c596f820d6568013343c4db07ffa77716d79102e6420af1756a172c8938f3caedd6e7b0975634a

  • SSDEEP

    1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5Z:2dseIOMEZEyFjEOFqTiQm5l/5Z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
    "C:\Users\Admin\AppData\Local\Temp\eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    88KB

    MD5

    daf5883ff36c6070c70c2325e4979aef

    SHA1

    1c52885a8a0ac5e145f50a9c934f97a69e981c52

    SHA256

    05f91406cb47d7d77198e598b71b254a074c79d20dfd2184efa566eb4116a272

    SHA512

    6ffbc858b36ff5b65b6defb55d7677ad1b9355a0e6f6599c4d7aec6da665631aa272c7f31b6c1402efd8d4d3b212e53fae9392127bec6db5b24112aed1824a0e

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    88KB

    MD5

    ffe0f0d3ff1a66374b784e53d0fcf6d4

    SHA1

    bcbc57018e588310c3ad4aaa293866fd590336a8

    SHA256

    8b3a6fd1ea1a6eb24e3a6a8888a340aa83056445729491b0a393bfdd92a5ada6

    SHA512

    ffc9eae2f4fc0b1f793af57f81415594b029f3891a0bfd5e383fbb4dc9218105797c380cc4dfe352a8e3a02d5af1d886a3d26a370dada21f302e89c0e162a859

    Download Submit