Overview

overview

10

Static

static

3

5458a2508e...9N.exe

windows7-x64

10

5458a2508e...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5458a2508ed6fd0ca27b574c42220b3ce6809b270fba082aa1ae34f3f2773b89N.exe

  • Size

    96KB

  • MD5

    9a7fb4ead08030bbe6e44e2aead82b00

  • SHA1

    a686ce8c7273544cd3cdbb9c424cca5599798c41

  • SHA256

    5458a2508ed6fd0ca27b574c42220b3ce6809b270fba082aa1ae34f3f2773b89

  • SHA512

    4453aca8e1b5521acf62db67690beace6be56a7e1826832ccb5fc098d3e92c6985c24f430062aeca7b26f9fc20ef6f268ec1e6894ab92846f8c43e8e7e4eec6c

  • SSDEEP

    1536:qnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:qGs8cd8eXlYairZYqMddH13L

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5458a2508ed6fd0ca27b574c42220b3ce6809b270fba082aa1ae34f3f2773b89N.exe
    "C:\Users\Admin\AppData\Local\Temp\5458a2508ed6fd0ca27b574c42220b3ce6809b270fba082aa1ae34f3f2773b89N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\5458a2508ed6fd0ca27b574c42220b3ce6809b270fba082aa1ae34f3f2773b89N.exe
      C:\Users\Admin\AppData\Local\Temp\5458a2508ed6fd0ca27b574c42220b3ce6809b270fba082aa1ae34f3f2773b89N.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4480
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2232
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:892
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4960
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3564
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 256
                  8⤵
                  • Program crash
                  PID:4692
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 292
              6⤵
              • Program crash
              PID:1800
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 292
          4⤵
          • Program crash
          PID:380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 300
      2⤵
      • Program crash
      PID:1916
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3156 -ip 3156
    1⤵
      PID:2060
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1988 -ip 1988
      1⤵
        PID:1744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2232 -ip 2232
        1⤵
          PID:3992
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4960 -ip 4960
          1⤵
            PID:1420

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            d73ef585b7f24868d3af964819c6b997

            SHA1

            6a4376550a2f90ff63527310d207d6abf77eb0d3

            SHA256

            6d4bb1f42bdd9f08b00f86fa23f1bb80d25ef5be717913f617d0f701b7ff1db1

            SHA512

            5be703b75d34c11c0827e7e84eb2faea113002ce6dbd8b4bbc15a4c9c27b620fad4d1669e200a840d78b32c488ed9a9dd9a21f805206ad58527d7dec830fa3ad

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            52d0cb86f887ef77822ba9a241987b58

            SHA1

            fe69831ac6cafa98fb749af48023fd66d239ca31

            SHA256

            863335f5348b0a0ad3c4a2f15ad1cf47ec9b60fe94c92e2300b84bead40afad3

            SHA512

            a787c0eb6793432a6e0d4193f518acb2713279120ed0324c6a8cac3cbcf33c4ec1a807b2d13ffe42a78ac2af9898bf3ac95de2bf5f2e03afcf56dad35af3190d

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            79f757b59385f6dc8e078da644e4ec5d

            SHA1

            4e80218b29915c4c051494f3d4c1cf39001380f8

            SHA256

            70790bd1dbf03381915806d8dfc05cf18be68ff8593b7bdcfec3d24ec4e79fed

            SHA512

            5e5b42a23759f0a52d591413aacee6ec55f9871f4b562d433f3d7dd063932005095ab114f7990377342921d0062859d1e3440b9e48a27f27ae8848a505ca3ea2

            Download Submit

          • memory/892-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/892-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/892-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1988-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1988-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2232-32-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2232-53-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3156-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3156-19-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3564-51-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3564-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3564-56-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4480-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4480-31-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4480-27-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4480-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4480-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4480-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4480-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4960-44-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4960-55-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/5024-10-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5024-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5024-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5024-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download