Overview

overview

10

Static

static

3

e38756b320...14.exe

windows7-x64

10

e38756b320...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe

  • Size

    96KB

  • MD5

    c5d27f97b4a50dc6a13f45a8ed2a9476

  • SHA1

    dc06bb72c634658d7347009688980b841a8b4899

  • SHA256

    e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014

  • SHA512

    653aabd8a7cf34d9c1f9861152b805d5bb5d2dff119dbb2edcff36784d71055ff4e33de19909e484b41cf96bb7e3b3158e9d9f6726cd923f5194cce4050cbf57

  • SSDEEP

    1536:ZnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxj:ZGs8cd8eXlYairZYqMddH13j

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
    "C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
      C:\Users\Admin\AppData\Local\Temp\e38756b320f67949bc7b2fc64b6858678e156b43317915b7c782e597f698d014.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3120
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1388
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1944
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4736
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2144
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 256
                  8⤵
                  • Program crash
                  PID:744
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 292
              6⤵
              • Program crash
              PID:4816
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 300
          4⤵
          • Program crash
          PID:4836
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 288
      2⤵
      • Program crash
      PID:4528
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348
    1⤵
      PID:1700
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3732 -ip 3732
      1⤵
        PID:1092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1388 -ip 1388
        1⤵
          PID:2676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4736 -ip 4736
          1⤵
            PID:4084

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            9e7bacc8a06035834c6d77d39a1f9323

            SHA1

            612ee8fdaaa8e67a5bf4c8b0a54e28b558ed7093

            SHA256

            619f8148adb44214a4b73aebcd7328b6daadc9ebf1cc69b9cc119c7a9e1f4027

            SHA512

            64dbfa76ca855f24bfbd6d69b3ab1001487b4e4b496ac05de29b75471acccd2617608b48e4af97e344870fb1df32d1e0154209b9aed351db340c35b35df26e73

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            76a463c29386e5e016674ab429d6ab87

            SHA1

            fafc3605f3e8cde84f86429063fd2c242b744b6e

            SHA256

            9a9e4e81ec8b36ce09cb5595d78a45af9c5dfec692348a8918f6f48285a7f1bc

            SHA512

            7528f2143a37f83e399a0a41d5f09a0f4c866d78ef2ee8d3a2fb642497caddd663b89766e69696e07f4fd6dc44a5d85b537a70472a17bbd8e0ade856173b31d9

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            805227500fb418a934e10c411d378d35

            SHA1

            ed732725aaa63a3de1c2350c8c28959e770555cf

            SHA256

            d95b6a3b73eea9a3443ae39d967e524927086619b9ea336c66492670c6493223

            SHA512

            72a9a24935ad79d9fa3bbee312684548c0b1513f42930fa71e306a8b60c11a4c9f56ea9493f7eb5339bc5e2cc32d483236e99750735678339c30249c849c143b

            Download Submit

          • memory/876-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/876-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/876-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/876-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1348-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1348-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1388-31-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1388-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1944-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1944-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1944-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2144-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2144-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2144-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2144-56-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3120-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3120-30-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3120-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3120-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3120-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3120-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3120-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3732-16-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3732-8-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4736-44-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download