Overview

overview

10

Static

static

3

3a76b4b133...3e.exe

windows7-x64

10

3a76b4b133...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe

  • Size

    96KB

  • MD5

    368d064efacaaa20abc57a01c83e0f3e

  • SHA1

    2f0a36ebc6e185071605afa653ad3da504d4df62

  • SHA256

    3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e

  • SHA512

    641a4ac039b2cb409b615069c1874a004e0f0da2e4a69937bd176a089c12b1960597afb12bb10b0f218ecc126cf85ad53a5ae4f099844ab316e3d43c20f172c9

  • SSDEEP

    1536:+nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxh:+Gs8cd8eXlYairZYqMddH13h

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe
    "C:\Users\Admin\AppData\Local\Temp\3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe
      C:\Users\Admin\AppData\Local\Temp\3a76b4b133225ee0fe5eeff15a25f35ce64ed34d03982a8953619d038039093e.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4896
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4900
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2184
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4676
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 256
                  8⤵
                  • Program crash
                  PID:2108
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 292
              6⤵
              • Program crash
              PID:1544
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 288
          4⤵
          • Program crash
          PID:4912
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 288
      2⤵
      • Program crash
      PID:4964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2360 -ip 2360
    1⤵
      PID:3620
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2852 -ip 2852
      1⤵
        PID:2032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4896 -ip 4896
        1⤵
          PID:4764
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2184 -ip 2184
          1⤵
            PID:4824

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            a0b9bdcaf456f6ae73f7f446e96ffe04

            SHA1

            8fa9a6b419d06c43b203dbdd5a16e9dce972cc7f

            SHA256

            1d33d02a8e0a74cf87abc69d4653bdef51053d233bcbbbc127f12c8bb0fc6135

            SHA512

            2f0c716aece0e7f4d609e97a9bf3210d7ef483505a7f9bc4c9af18bb86fd990a6203d8d329261d66411b207ac07eec9b8ebdaeac36e995e209f89c850578bd8b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            bf7081c5fb72643cae63538b0128b8b8

            SHA1

            ac3e5ac8e5d58b60740da52458b17c762cd17024

            SHA256

            44ac5aa265f57cf9df83355e6ba0f6dc64f91351229b6ebba9946c514b07347f

            SHA512

            4653a7c3f8c03681f38a52e6bd7c46b2f68b700382e95218e04579f22087ef6473b3cc1c0cef7837fcc3410c9278a5875cafc9867dbfadc9fdd58eda1d4b5711

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            0900f4d56d7c89eb744556c3a18f322b

            SHA1

            7ac81d0994384adc6e7b0d9c3a55c2809d4ab28d

            SHA256

            f81b865468c91a0df3d8688e3eac97dd49dbe76911c86a4be5c1fea58b6a8849

            SHA512

            29c900654796371206e44868d19eed83fceffb2411f746ef1225efc47311f3338ba7d6d85898b962935d35f0c720b247b9c04d858d2db8d4bfa7e26f09f804a9

            Download Submit

          • memory/1344-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1344-10-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1344-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1344-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2184-54-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2184-46-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2360-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2360-19-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2852-9-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2852-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4424-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4424-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4424-34-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4424-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4424-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4424-27-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4424-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4676-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4676-51-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4676-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4676-58-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4896-35-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4900-43-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4900-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4900-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download