Overview

overview

10

Static

static

3

40a4b0aa4c...9f.exe

windows7-x64

10

40a4b0aa4c...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 05:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe

  • Size

    96KB

  • MD5

    88de9c6897937c35255ac10b6bac4a66

  • SHA1

    ad5b907ac354bbbae4bd1ea9b880a1e90470e172

  • SHA256

    40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f

  • SHA512

    ccb8b91c545641b5da431fad701e3923fd6a4f85b569cbe26f6aefa3a2ebfcf3d90dc0ddaa2a8a5cc0eb4cbfcb47104b3b6150b27dbef418eee405a7619c9bc6

  • SSDEEP

    1536:hnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:hGs8cd8eXlYairZYqMddH13B

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
    "C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
      C:\Users\Admin\AppData\Local\Temp\40a4b0aa4c555c3e71800aba99d22e7d4ae98af226973f398b41f18c4cdf049f.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3512
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3256
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3420
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2060
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4772
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 268
                  8⤵
                  • Program crash
                  PID:860
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 292
              6⤵
              • Program crash
              PID:3104
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 288
          4⤵
          • Program crash
          PID:4520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 284
      2⤵
      • Program crash
      PID:4236
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1268 -ip 1268
    1⤵
      PID:4904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3556 -ip 3556
      1⤵
        PID:4412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3256 -ip 3256
        1⤵
          PID:4132
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2060 -ip 2060
          1⤵
            PID:324

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            a8df9acd1142da4fa6106c54b389bb02

            SHA1

            7fa08c6c019d93e2d06d30d6c0ddf7f5483b585e

            SHA256

            dd2ef6e4fb4ac64dfcc4b00f91e41cb62160018d561803f57b39502765efa159

            SHA512

            f6b05b78fd4195984142d99b9e5c11bb133029306ed9e07323ae94776f25df6bf23328ff27a9b59f3090c5894cf37efae1ec134e79897ba84921a24813896a3f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            6f6623357b718ea9224d15a761f8ab21

            SHA1

            6496075f9cd639d1962b1c18266dfcc1d0841244

            SHA256

            712046f2e93f4b5d25323e8795b75b4d0cf6df30c7601a5a1b660732689755e5

            SHA512

            9d44f90cf22e930747c446eb3a275fd772370048c76feccf8a7db965fcdbbdfd9a1d9986a965b3212a31ee050f41a75231c9331ea739881bb212d17e9ef2e682

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            39754e7aa74398aeda27c8956f02c852

            SHA1

            b34ed02102ebed466111705e78f4b8e6e8e63b9b

            SHA256

            adf9ac5367c7b532d84fecf89241119d9c0ba90a2664a3ad29cf3929f2bb624b

            SHA512

            0246921fb919e36e7012c302feee99803d608e5c7857f08dcfd1ff9577dd5a93e482029b9457673e92875ab48b8268b8c88bd0d38d00adc3af0c90e8f613796c

            Download Submit

          • memory/1268-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1268-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2060-44-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3256-31-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3256-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3420-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3420-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3420-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3512-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3512-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3512-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3512-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3512-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3512-30-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3512-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3556-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3556-10-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4772-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4772-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4772-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4772-56-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4996-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4996-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4996-9-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4996-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download