Overview

overview

10

Static

static

10

2e3a3cf4fb...17.exe

windows7-x64

10

2e3a3cf4fb...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-02-2025 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e3a3cf4fb287ea20c6b6eea18b503a17f0e4a8c59f17cf05642dd6488cb9117.exe

  • Size

    80KB

  • MD5

    96be59c2442dc61ebd636dcf8b2a1598

  • SHA1

    cd7981a0d05142881598af8114f93db080d1e399

  • SHA256

    2e3a3cf4fb287ea20c6b6eea18b503a17f0e4a8c59f17cf05642dd6488cb9117

  • SHA512

    08afa72a60f49e2844665316d858a4de9b14d18f5180505fd9921ab52e87904130bf518b043c2f2f6d6b9987cbdbd88924cdfe2281ca63eef6cfcf5ec7574b83

  • SSDEEP

    768:SfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:SfbIvYvZEyFKF6N4yS+AQmZTl/5S

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e3a3cf4fb287ea20c6b6eea18b503a17f0e4a8c59f17cf05642dd6488cb9117.exe
    "C:\Users\Admin\AppData\Local\Temp\2e3a3cf4fb287ea20c6b6eea18b503a17f0e4a8c59f17cf05642dd6488cb9117.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    1be33a69c5b83f895b4d690848503862

    SHA1

    327345ba1ea7a242a49bcc9067dd2a4664948f19

    SHA256

    45fb7f9aa51f1c211c717cf0225ea1acac7ede821220eec135bf6ad54eef035f

    SHA512

    c0ace709280c8d44141c9f24af7d6222d04b6509e3af6117ddfd10ecf8a7f760f7ea60aa258aaf39cd4f82ed6c73fae00aac334e9a627a906433f517b2e9b75b

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    034250a17786b9d6c4f77177ea69fcf9

    SHA1

    bc75a71abb4aaa775c41d27480ecff56c3dc3ecc

    SHA256

    f50654d731788720bba5980fb8ba4a72255ea0176ea258f773a953968ed7161e

    SHA512

    c7c6bfecdcaeb1a748976206d82605d22b8a0f9c5cc56fd17e31b5d5d39d7225582b84f3f408ac1b9d64de5eb5faf471d3e5f53f6dbbc53a8241c6ed85ff9542

    Download Submit