Overview

overview

10

Static

static

10

fe87538f8e...4b.exe

windows7-x64

10

fe87538f8e...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe87538f8e8429649c2a6b7e22a389efeff25c7b94095970cf12641accfc294b.exe

  • Size

    61KB

  • MD5

    129708678f272403847bbe3d31c9c0eb

  • SHA1

    3257a9b3bd1818353bb1875ce44b9425542cafd9

  • SHA256

    fe87538f8e8429649c2a6b7e22a389efeff25c7b94095970cf12641accfc294b

  • SHA512

    7ff5dbab00104061702f76684d19890255b02d30e9c1ea90b705d7620854e28d139e2f42258b8cf13ec4a402cb38692ee3a264c3aff3b142adabc628dbedaf1a

  • SSDEEP

    768:HMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:HbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe87538f8e8429649c2a6b7e22a389efeff25c7b94095970cf12641accfc294b.exe
    "C:\Users\Admin\AppData\Local\Temp\fe87538f8e8429649c2a6b7e22a389efeff25c7b94095970cf12641accfc294b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    61KB

    MD5

    bd54fe9d413e3e0ef7747eaa33387591

    SHA1

    5511b6438584d3e4e53e71140c9ced4bc9fc01f0

    SHA256

    5f83743cf20b6d3640e1449e7b2c9d264ad00c408438cf65a280e359c8104b2d

    SHA512

    f82bbaa773e57a969fa39120b98f9e8a828830d5e91a0d4c80848f4d52eb4ce974df34890483a72d40dde5e09198c6f244e4cb7937fba636214767b98f2ff938

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    61KB

    MD5

    a0125192a9c92bc7adfd06e972a4ee33

    SHA1

    02ec11eafce18852ba5f2be7130fa18f2b3efd08

    SHA256

    bc2cea40bfe8a5e70460f8868d44f5bd53a06826d5aec7cb6c4b6d1c854b59a9

    SHA512

    b4b0254b20c97fa23060dc5ffedc1968aab17142ac79f03a8c2461be0a0a0a2df9249d5ea5cafd38b72951805e40b9e97fe923df7162ba2119a31c7790873bec

    Download Submit