Analysis
-
max time kernel
115s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-12-2024 03:32
General
-
Target
0b6470481c45cd4a6249392fd7883a7f56903f5acc179067b143c9e181f3e5ab.exe
-
Size
96KB
-
MD5
be095d6a35f74016d38c678c56c1db7c
-
SHA1
737a8686c0a9931aba32241d56ec241ee57b65d6
-
SHA256
0b6470481c45cd4a6249392fd7883a7f56903f5acc179067b143c9e181f3e5ab
-
SHA512
75d2a3e581cf119ca9e33725c6ebc0e515b2f14e1a27d64d47ed7c4bec71b50cfb5587843dec40b938af8a562aa42eaa198a915cc22eabdbc84e68f9033d5a89
-
SSDEEP
1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:zGs8cd8eXlYairZYqMddH13R
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b6470481c45cd4a6249392fd7883a7f56903f5acc179067b143c9e181f3e5ab.exe"C:\Users\Admin\AppData\Local\Temp\0b6470481c45cd4a6249392fd7883a7f56903f5acc179067b143c9e181f3e5ab.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0b6470481c45cd4a6249392fd7883a7f56903f5acc179067b143c9e181f3e5ab.exeC:\Users\Admin\AppData\Local\Temp\0b6470481c45cd4a6249392fd7883a7f56903f5acc179067b143c9e181f3e5ab.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 2688⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 2964⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2792 -ip 27921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4904 -ip 49041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 524 -ip 5241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3804 -ip 38041⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD568ffa9342d6525c2cc9b29ebe33d8b3c
SHA1d1aab119e807af549d4db5fffeecd68b8edba6d6
SHA256e6a4b4b29fc74d931afe1a1fee569e555169b6229487afc0a04a19382a630d1b
SHA512b29840852851b5da4012170132f269409ee61decb69a71bf73aa5800083624c567e15e938729b5450ad29fa1229f99e8142b5cab2cead3e32936266ded95ca6c
-
Filesize
96KB
MD58766871e47011bee6ec6dec3193741a0
SHA10fb04f25369575960bb634b776f42d4dc6d7914e
SHA256b61b3f7d095a87c9946218e78d00dd161da519a84ce22ccfabf6abe8cb56d996
SHA51268aa93db351cac8010d5dc2dbe79274ef092dbe7521afe21173e31b3515270407f13343f67502691275f25c29cb2782ce18c990bc96b7de52b2cadcee41fd909
-
Filesize
96KB
MD5eccb4e848f5b1b9ec6016af80a280352
SHA122d185631078198804d0d2245f2660dddec16d0d
SHA2560eeef49b01105bb910accb80b6a11a88edc57ee742befa16d93b9091104743f4
SHA5124f2e9872d6c08335b899fc73644889e632dcca34f5293a369d67ef97360856a2db8a3efa90bb3c1c1b4f95d9d73d7436b28b7a8562178d8be7420ccdbefa3dac
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB