Overview

overview

10

Static

static

3

e38756b320...14.exe

windows7-x64

10

e38756b320...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe

  • Size

    96KB

  • MD5

    c5d27f97b4a50dc6a13f45a8ed2a9476

  • SHA1

    dc06bb72c634658d7347009688980b841a8b4899

  • SHA256

    e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014

  • SHA512

    653aabd8a7cf34d9c1f9861152b805d5bb5d2dff119dbb2edcff36784d71055ff4e33de19909e484b41cf96bb7e3b3158e9d9f6726cd923f5194cce4050cbf57

  • SSDEEP

    1536:ZnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxj:ZGs8cd8eXlYairZYqMddH13j

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
    "C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
      C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2088
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1848
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:320
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    5a8e13daf3f47fcfb0b2b30cc2e3c86f

    SHA1

    7513063e2bd3313308cc78045cf4807d5a76f335

    SHA256

    e3af1d6d4883a5c35c8ca4000dfd849f0b38cdc3e81d9fad075f38051dbaff2b

    SHA512

    b421949144033f138e72770135f007f65dcae37b4f6ebc770549630c27d01491700163e4eb9bb8f02902f6896655e8b6a00cb1e1c3b02847b9aefbe01e95d556

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    76a463c29386e5e016674ab429d6ab87

    SHA1

    fafc3605f3e8cde84f86429063fd2c242b744b6e

    SHA256

    9a9e4e81ec8b36ce09cb5595d78a45af9c5dfec692348a8918f6f48285a7f1bc

    SHA512

    7528f2143a37f83e399a0a41d5f09a0f4c866d78ef2ee8d3a2fb642497caddd663b89766e69696e07f4fd6dc44a5d85b537a70472a17bbd8e0ade856173b31d9

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    96KB

    MD5

    aa417e0033e0541a161ab49f6b3e3a4e

    SHA1

    05a8487c433bc3ba475dc798e9fa1670dc25264d

    SHA256

    f13799b891adb8e8df7a7f4e58bac812da9ed5ff121053077897c2b4ed8ab5f8

    SHA512

    32948032c9fd8be3f203be8ad07f2cd2b346234488654f3f51893bbdf9bcbead63063f14be0319c3cafbecaca41e7d991759792c15041363eb2bda8114e64967

    Download Submit

  • memory/320-90-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/320-81-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1652-94-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1652-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1848-73-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2088-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2088-68-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2160-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2160-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2160-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2160-15-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2160-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2160-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2704-36-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2704-48-0x0000000000320000-0x0000000000343000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2704-56-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2704-45-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2704-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2704-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2720-23-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2720-32-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2860-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2860-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2860-11-0x00000000002B0000-0x00000000002D3000-memory.dmp

    Filesize

    140KB

    Download