Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-11-2024 08:08
General
-
Target
75a188b4c356a3e828ca599520307fdfe1e498a7b2d1107c7b24ec8f62b152bb.exe
-
Size
96KB
-
MD5
df9340f20610303bda95c5e273e70ed4
-
SHA1
5e2357006b43d0d42e094b80735007bfef1b71bc
-
SHA256
75a188b4c356a3e828ca599520307fdfe1e498a7b2d1107c7b24ec8f62b152bb
-
SHA512
0b42e279b441c53513e7d1c50f30defa6f95fb71053b0f6721e4e9835c76c56ff2e3cfafeeedfea5d3d68ae2c5149bb9db6b6f7d9234b51e85745171e9a1b504
-
SSDEEP
1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:EGs8cd8eXlYairZYqMddH13x
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\75a188b4c356a3e828ca599520307fdfe1e498a7b2d1107c7b24ec8f62b152bb.exe"C:\Users\Admin\AppData\Local\Temp\75a188b4c356a3e828ca599520307fdfe1e498a7b2d1107c7b24ec8f62b152bb.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\75a188b4c356a3e828ca599520307fdfe1e498a7b2d1107c7b24ec8f62b152bb.exeC:\Users\Admin\AppData\Local\Temp\75a188b4c356a3e828ca599520307fdfe1e498a7b2d1107c7b24ec8f62b152bb.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2568⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 2884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3124 -ip 31241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4600 -ip 46001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3996 -ip 39961⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD55a1aa59a875caf76680d4681541b7c76
SHA1da6c11f2066540071c2c8478e35416f4357f63ab
SHA256870a550b34fad99df2ad32a4373c26e9157b6e0082a59c60072488b6146b340a
SHA512ddd0464c3eb12974da688202d93e5c145a23a4fa1de9d649a7964eafb25758a1c5c7f3e1d583924015adc40ee0fe448aa31fc3ecfc2b2b7a306151cc925f484b
-
Filesize
96KB
MD5382fd6253fb9cec92dfbe5516d8092a3
SHA14c6cd980978d57ec4f1f9cff86a309193497c3ae
SHA256c9d97f0d31a49235c0257fecdffe11504d84cfa116c4c18f807856492962c50b
SHA512399556022ab49876eefccc156023f4c58707dba20e4703ee2bbff32388e7c1eb3e37a8c4035198e9e654bc27a2bff30b4c563b2bdde2bc737a38439d35e9c18e
-
Filesize
96KB
MD55003a4e4a25e34426a5551010328d585
SHA16960e24bdbe536a61dfd8a1c3b453ea2a67ada89
SHA256eecc010191b42e924adac7a12fdb02b364f96894b965aaaf570fecf8f6e19574
SHA512913e6866c88dbbcb4ca2fcb6b9fbe344acc03221fc4d1e69a4aabe400ca4ffd8c228cbba0fd75f96f21374caafee3a1473022b56ea7b05212e3d2acca7515910
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB