Analysis
-
max time kernel
115s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-12-2024 08:56
General
-
Target
e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
-
Size
96KB
-
MD5
c5d27f97b4a50dc6a13f45a8ed2a9476
-
SHA1
dc06bb72c634658d7347009688980b841a8b4899
-
SHA256
e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014
-
SHA512
653aabd8a7cf34d9c1f9861152b805d5bb5d2dff119dbb2edcff36784d71055ff4e33de19909e484b41cf96bb7e3b3158e9d9f6726cd923f5194cce4050cbf57
-
SSDEEP
1536:ZnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxj:ZGs8cd8eXlYairZYqMddH13j
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe"C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exeC:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 2648⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 2726⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 2924⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 3002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 5401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3604 -ip 36041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5112 -ip 51121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4352 -ip 43521⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD523846fc3863672ed754f54767cea1cfb
SHA12370fad30d61584d4e79edb86fdf59ad76f2cd9a
SHA2564eb42612f2a9aa0eb641949e86fd369a165a38933ec927c616c2a58492684435
SHA5122c082d260b85b3123bb4b68c2ce2ba43efb908643a59b6d79a1a0e64ec88b6a3264f15cbe1cd8c95ff185759b7ca0039ebbb4efe84c5bbcda95dfee97a2a75ba
-
Filesize
96KB
MD576a463c29386e5e016674ab429d6ab87
SHA1fafc3605f3e8cde84f86429063fd2c242b744b6e
SHA2569a9e4e81ec8b36ce09cb5595d78a45af9c5dfec692348a8918f6f48285a7f1bc
SHA5127528f2143a37f83e399a0a41d5f09a0f4c866d78ef2ee8d3a2fb642497caddd663b89766e69696e07f4fd6dc44a5d85b537a70472a17bbd8e0ade856173b31d9
-
Filesize
96KB
MD5b5930e39d44a9cc8d3c1e5df24682fa0
SHA13e1b89c02d4552c64bb12295b6591532006400af
SHA25658643540fc9f55ef25fad7a0d70240696849dc511d2240afe80393d216ce486d
SHA5128f79c201775e160dae410579f597dbddc489b0c1b22fccfc0cd09e596360839b40765c5d27095ab2e007878ab82c27515c29df3e7eb8c8f80656783a39afa056
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB