Overview

overview

10

Static

static

3

dd397e4bfb...8N.exe

windows7-x64

10

dd397e4bfb...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe

  • Size

    96KB

  • MD5

    546e3573ac5bff547811b44fb4ec56e0

  • SHA1

    d0ea09b1c9554d0b59ecd0e87195297d82b7057c

  • SHA256

    dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98

  • SHA512

    bace3256111add09e8eb5399e0a0e1c80367fbdb7d86ecad8dc1fd217fe89ed1804b1402951335ed82657f37407d76c26653b68f6ab806390b925ff714f8ca9d

  • SSDEEP

    1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxq:OGs8cd8eXlYairZYqMddH13q

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe
    "C:\Users\Admin\AppData\Local\Temp\dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe
      C:\Users\Admin\AppData\Local\Temp\dd397e4bfb6917e97f317cf291b601fb7dfad59cc4bf77077ec503caa7ba9a98N.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1612
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1948
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    b4149a7ebc97f13f2d9b920353ffebb6

    SHA1

    f8d8f620d32aca0e1640b7f5be7e50805cfea090

    SHA256

    e9ca927468c22be15bc83132fc53f33d838c001a26ecaf3ef01b83a13ca195bf

    SHA512

    8e4e2647acf719d47620e6c5b8eed202fdb10c4da2f9a770d70338ed7ec8f0cc49fd5e89a81418835f202b939889e3853e1f5dbce7dbb132c684dbba5e8b3353

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    96KB

    MD5

    ec5b326f60daaa45a29228d260643d03

    SHA1

    c6166343cd2ec940535de25f45632133f3243731

    SHA256

    5164cf44259b7353617d29af0067752492f55f11a3519dd704dc8b1dfc9e2988

    SHA512

    000305f9db973812ebeae800490c95fac457d7605f8c70fffd3d32f5036e6e631e04c7eddea642bf9c1f21af014792d9cd9bd5a7b1bab0b4675eca689a508e0e

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    1c7443a4d3dc3d84a1b4fe71fd3887e6

    SHA1

    64a38c8ac030317b20517803dd7956c8b381bd08

    SHA256

    5f29ab7fec6c0c1181c85fe63746aa6c3bbe27834277fe37b7b59102f3e593bb

    SHA512

    e2594f04856c9fbd1f06104115e80c1929f8c3fca69ccb535fa584fe142c02661c299c9df4131477dcfab207c7d0ae71c0af7f63cb7673fc5434b9cb6a1ca69d

    Download Submit

  • memory/1200-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1200-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1200-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1200-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-11-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1612-73-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1948-88-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2076-24-0x00000000003B0000-0x00000000003D3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2076-33-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2076-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2448-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2448-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2852-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2852-53-0x0000000000290000-0x00000000002B3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2852-56-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2852-55-0x0000000000290000-0x00000000002B3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2852-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2852-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2852-35-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2868-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2868-67-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2920-90-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download