Overview

overview

10

Static

static

3

7801f94d7d...0d.exe

windows7-x64

10

7801f94d7d...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7801f94d7d50a919b92278c053132294bb0e88262ad2800ad0ff773ec3681d0d.exe

  • Size

    96KB

  • MD5

    efc206b3300e3e58bcf3ca8eaca8c9cf

  • SHA1

    712605a02fb689f2191342e67cb902ad52556c51

  • SHA256

    7801f94d7d50a919b92278c053132294bb0e88262ad2800ad0ff773ec3681d0d

  • SHA512

    94f0162cc032d7a8ed0924037168222936d9daeba5bd4b015850fb8c1057fd841e0cc702fd5a5c33fa02e05dca8d6977565c0482615c9a6129185f23c8d95399

  • SSDEEP

    1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:UGs8cd8eXlYairZYqMddH13z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7801f94d7d50a919b92278c053132294bb0e88262ad2800ad0ff773ec3681d0d.exe
    "C:\Users\Admin\AppData\Local\Temp\7801f94d7d50a919b92278c053132294bb0e88262ad2800ad0ff773ec3681d0d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Users\Admin\AppData\Local\Temp\7801f94d7d50a919b92278c053132294bb0e88262ad2800ad0ff773ec3681d0d.exe
      C:\Users\Admin\AppData\Local\Temp\7801f94d7d50a919b92278c053132294bb0e88262ad2800ad0ff773ec3681d0d.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:684
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4752
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3552
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4036
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1812
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1028
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 256
                  8⤵
                  • Program crash
                  PID:1572
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 292
              6⤵
              • Program crash
              PID:3124
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 288
          4⤵
          • Program crash
          PID:4024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 304
      2⤵
      • Program crash
      PID:3724
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3720 -ip 3720
    1⤵
      PID:4364
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 684 -ip 684
      1⤵
        PID:3124
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3552 -ip 3552
        1⤵
          PID:1088
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1812 -ip 1812
          1⤵
            PID:4488

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            1d17b1bd4ab36246807cc12309d15d4b

            SHA1

            0ff18ae696f550074cad1110ec2043115e80d300

            SHA256

            aae9961fe307b22688b484b98ac25e980123913032b949f90a8cb99b92491ed5

            SHA512

            2ecf52741aa60dc43237cfd020bf44f3596e7493192dcae9576ce57a33c77dd255b01ac43baaf5df8ac66c9370de4716d897d9142ec13881d87639abfb781246

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            f68ee74f31d1013e365ab5ce17f6a80d

            SHA1

            855a9adb872d0e86afa7bcc5644d9cd1d504cd88

            SHA256

            1d2e864b46c759be0946582d45a2b72e2020b7246469abdc96cb9fea7b4df94c

            SHA512

            3d7acd7c613c2a5185132ba5388da33be1532302565d8e2a80deee6d28bb5edf72550ee299ea9db312a24311cb139c410bd7d3ccf02c705adffab99650f46194

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            8470fd734c4b46b2853065d990ff3762

            SHA1

            9de3fbc06ad4c849717c4daafbe6023f59660b83

            SHA256

            88708e6174853b74b77321410bb9081f3beadc160f94028a464f6a9ecb305614

            SHA512

            abdbd616845ab0fa946d8962655146fd8b9ffbdb2097789881135fa1bfa71478846f87c142d7228af5d162d1481ef40fcf0af7b6acc83976817a0ee75c04044e

            Download Submit

          • memory/684-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1028-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1028-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1028-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1328-10-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1328-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1328-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1328-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1812-45-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3552-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3552-34-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3720-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3720-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4036-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4036-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4036-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4752-33-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4752-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4752-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4752-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4752-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4752-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4752-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download