Overview

overview

10

Static

static

3

794cc23ebc...89.exe

windows7-x64

10

794cc23ebc...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2024, 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe

  • Size

    96KB

  • MD5

    0249e3dd89f68358a93601b139fab1ce

  • SHA1

    cd2de26853cbb87cad8f4d72233e9e86af263d13

  • SHA256

    794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89

  • SHA512

    8f2bae5839a88239a82e879c1319a5d6abf3bbb4222c7d6e05fb64a138c5236ced543c2d484109213571ace023acf7a781679c0ce70f111f40cd791dd1a11833

  • SSDEEP

    1536:YnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:YGs8cd8eXlYairZYqMddH13R

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
    "C:\Users\Admin\AppData\Local\Temp\794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
      C:\Users\Admin\AppData\Local\Temp\794cc23ebc508c2ec67c36a442cdfcb4ebe72f088518511357676accf67ffb89.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1068
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:344
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:552
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1932
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1684
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 256
                  8⤵
                  • Program crash
                  PID:3784
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 296
              6⤵
              • Program crash
              PID:4204
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 272
          4⤵
          • Program crash
          PID:2212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 288
      2⤵
      • Program crash
      PID:1012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2284 -ip 2284
    1⤵
      PID:3908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2140 -ip 2140
      1⤵
        PID:2176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 344 -ip 344
        1⤵
          PID:4316
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1932 -ip 1932
          1⤵
            PID:404

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            252813f5a29f2b12147169540854258a

            SHA1

            2916977b72b4068514c87979056df8e96db4c933

            SHA256

            db97d5b4817d4d0fcb11e22228e4c31fbb94b79783525161568a408ffaa3ff85

            SHA512

            61f8b1e5158a8fd1c5b623f3fc9b016c5ba4546341026b201bd334f5c2e378ec96a6e81ce3c8d651aa1e4f494ac6a0c3b699cce8025b4eb214694955e7e86458

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            c87554b4d16b4d9c6b7e9cc99a82290d

            SHA1

            16d875aba79925654781c57c77c439a31b3962d0

            SHA256

            fb0af20192bd74ce698078ec23ef8c0ea98b72c569ca7d23f4604ded45b3c6ad

            SHA512

            c66900a276537958cd5d1c8becd098be0b350538271e89a02815b8722bd6694ae3610ae7e322e399cdefec2f9d5a05a8bbe9906c06cffcce1a3f93efa30accb7

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            071f596358039ca96780bd77fb7c84ff

            SHA1

            5173ff1ce6e1e06cb5da1b37abe09de4b26ad074

            SHA256

            e0534b2305490db8f448a6b07fd29f12137660dba1a9d952b7d44b2acb3e0ce6

            SHA512

            8cfa969e7df108020afd1a8c132253910b94993e59704357f7f365772bf4b939c5f1f4d2e7e87cb303c594fa32d8e640530fea68cc16887c8c09c0e9c47cc590

            Download Submit

          • memory/344-50-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/344-30-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/552-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/552-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/552-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1068-13-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1068-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1068-29-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1068-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1068-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1068-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1068-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1684-52-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1684-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1684-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1932-43-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1932-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2140-16-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2140-7-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2284-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2284-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4868-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-8-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download