Overview

overview

10

Static

static

3

e38756b320...14.exe

windows7-x64

10

e38756b320...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe

  • Size

    96KB

  • MD5

    c5d27f97b4a50dc6a13f45a8ed2a9476

  • SHA1

    dc06bb72c634658d7347009688980b841a8b4899

  • SHA256

    e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014

  • SHA512

    653aabd8a7cf34d9c1f9861152b805d5bb5d2dff119dbb2edcff36784d71055ff4e33de19909e484b41cf96bb7e3b3158e9d9f6726cd923f5194cce4050cbf57

  • SSDEEP

    1536:ZnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxj:ZGs8cd8eXlYairZYqMddH13j

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
    "C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
      C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2308
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1380
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:852
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    76a463c29386e5e016674ab429d6ab87

    SHA1

    fafc3605f3e8cde84f86429063fd2c242b744b6e

    SHA256

    9a9e4e81ec8b36ce09cb5595d78a45af9c5dfec692348a8918f6f48285a7f1bc

    SHA512

    7528f2143a37f83e399a0a41d5f09a0f4c866d78ef2ee8d3a2fb642497caddd663b89766e69696e07f4fd6dc44a5d85b537a70472a17bbd8e0ade856173b31d9

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    473b644f2d7b1609b8d47a04cc6185c2

    SHA1

    27adaa6a2ca563def9c04e5a2ec9e9a2ac2747fc

    SHA256

    5eda06b0d9024e920c358b9997148c9b79425d7d849342b3d355babc75b8139d

    SHA512

    b99ec001681e9d26daf7ce1786273875c43b8e266970f659f98881cad41e768a8a3a25b22a16fc14501925f4295df51e236cfcc88b0be11458b583bfc307470c

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    96KB

    MD5

    e23fcf6d5f1fbb6907b58a7aa2defb37

    SHA1

    8b2ec1ebe0d0885eaa57c6cef4215acf8206c0ed

    SHA256

    f9a4a9b83010a85e5f6c8393a2bf2f834c13b614b6a9e2f395ec89e3093ce2fb

    SHA512

    47e0be228a543380558ccca32c7b33c7e03550b20e0d1065c3b01c1805466802fcfd26a84619cb19b65d983a24140d8f2e5c65021e1a44fa93ab00e09aca26a1

    Download Submit

  • memory/852-89-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/852-81-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1380-73-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2308-68-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2456-57-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2456-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2456-50-0x0000000000790000-0x00000000007B3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2456-46-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2456-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2456-40-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2832-34-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2832-26-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2832-23-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2860-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2976-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2976-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2976-3-0x00000000003D0000-0x00000000003F3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2988-6-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2988-15-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2988-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2988-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2988-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2988-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download