Overview

overview

10

Static

static

3

3a76b4b133...3e.exe

windows7-x64

10

3a76b4b133...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe

  • Size

    96KB

  • MD5

    368d064efacaaa20abc57a01c83e0f3e

  • SHA1

    2f0a36ebc6e185071605afa653ad3da504d4df62

  • SHA256

    3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e

  • SHA512

    641a4ac039b2cb409b615069c1874a004e0f0da2e4a69937bd176a089c12b1960597afb12bb10b0f218ecc126cf85ad53a5ae4f099844ab316e3d43c20f172c9

  • SSDEEP

    1536:+nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxh:+Gs8cd8eXlYairZYqMddH13h

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe
    "C:\Users\Admin\AppData\Local\Temp\3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe
      C:\Users\Admin\AppData\Local\Temp\3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3828
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:692
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4220
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2696
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2116
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 256
                  8⤵
                  • Program crash
                  PID:4036
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 292
              6⤵
              • Program crash
              PID:1240
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 288
          4⤵
          • Program crash
          PID:536
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 288
      2⤵
      • Program crash
      PID:5068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036
    1⤵
      PID:1248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3828 -ip 3828
      1⤵
        PID:5020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4220 -ip 4220
        1⤵
          PID:4280
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2696 -ip 2696
          1⤵
            PID:668

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            bf7081c5fb72643cae63538b0128b8b8

            SHA1

            ac3e5ac8e5d58b60740da52458b17c762cd17024

            SHA256

            44ac5aa265f57cf9df83355e6ba0f6dc64f91351229b6ebba9946c514b07347f

            SHA512

            4653a7c3f8c03681f38a52e6bd7c46b2f68b700382e95218e04579f22087ef6473b3cc1c0cef7837fcc3410c9278a5875cafc9867dbfadc9fdd58eda1d4b5711

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            ddaa1049dc02d0b91a0f2dcbad07f972

            SHA1

            8b26c808b7ac1450c3282caadde0d2aa7b76a19a

            SHA256

            291ae9ca21081533e6e4cf8e73fe735ec9a044c088c6c854ccc89259f0a657de

            SHA512

            2119eeedb6addb9d4b509c3f898e9fc167b26bdc8bb3df7bf6a5b32ad31b1b73621af520a66fba300af10ad9843750efd2e7e28361d3f0201ebf769bc2c6b936

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            05e3589590be000129dc68169d9a423c

            SHA1

            901016c60a76a4034c7f336b5b75a59b6144de4a

            SHA256

            cc5e4badabc2fafe045ce05572ea4e7c933eea8101eafc1fdd80316a4b7413bc

            SHA512

            23b38b759dabe541d63b49dd3284f714afc5a8c8e4d5333345f8638b5e0ef976f4f3e52c2effaa8adc2838d91c563d7ec40b8484a41be67c44e5bf390ad591ce

            Download Submit

          • memory/692-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/692-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/692-29-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/692-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/692-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/692-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/692-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2036-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2036-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2116-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2116-54-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2116-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2696-53-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2696-44-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2812-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2812-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2812-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3828-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3828-10-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3964-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3964-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3964-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3964-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4220-33-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4220-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download