Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-12-2024 13:23
General
-
Target
15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe
-
Size
134KB
-
MD5
eb3d3b17e41c40cbae73072b9d9a1a7d
-
SHA1
7c0feef921da8f9d08a476d64afcd55a4bf02726
-
SHA256
15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d
-
SHA512
0820ee2bfb04115354be88347bb000ab4d97d65551a64d04f62740d841e663506cb40f4e6eeb1b76ad1650c64d2f1a7d63fc8618083fcdccd725fe4096e293b7
-
SSDEEP
1536:8DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi1:iiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe"C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exeC:\Users\Admin\AppData\Local\Temp\15853f870ad80941247d0564dcb5f9f60329ac4905583f16b1541e8d74550f7d.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 2528⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 3004⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 2722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2916 -ip 29161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3508 -ip 35081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 836 -ip 8361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4404 -ip 44041⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5595012d1f81b0cda42fe6e22f30ae2d5
SHA10b7bc01191e4025ce804fcc7b6b0876833714072
SHA256e0a17b48c6426d792bf66871ab6d1210d8770d70c486be48341829c65e383f5b
SHA5123e78ff559fa83f84203794239994bf461072bb4629bc09519702cb036c790e3f0cbee1f8bd6cdd1c899fac77fe75c56b5fb4cabd08d38bd39df348546a6bf78a
-
Filesize
134KB
MD5d8dc678a990a8c9c9cda88f0c85cbe7f
SHA10b040a20c5fe18ab9cf556c55aaeafe57caf7464
SHA256249d43173536b014132143ab2662a6ce14272b622d62e1d120f3878c70464002
SHA512d5c179a2c8399e6362f50390eca0473dcf6ccdc12011a37eaa05f8cdd5bd4694f39a27734e1ce6b5a34a8abb845f333f876eab96b26a333f8a5a8dfd49c2b596
-
Filesize
134KB
MD5509a911a4d4e564d61126bb5394cb4ff
SHA11a3db1e98ab06750600da23b45758cc53a6ba19a
SHA2568725b90d5cc610815bc61385a4eeacb8fcb947e0421abdb9ebc62a3da5125f32
SHA512ab992d8982c12310134a90066cfecd6b684381833cabc1da2a78d7292c1cb0d24aae3350ddc8622c191aea71e7075c05d159b3555d49b566c34cc58cfe27a0e9
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB