Overview

overview

10

Static

static

3

07a277f638...fN.exe

windows7-x64

10

07a277f638...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe

  • Size

    96KB

  • MD5

    a330bd3ac7399c97c8f0853c3d7f0570

  • SHA1

    513758fdc74147414ffc9f2a883967284e071b82

  • SHA256

    07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428f

  • SHA512

    ab784c6b140f313b9a6c7ea93eea4ce4dcc45c0ede881422e39809fd7a36e27b0f2a3d8ea4c30c9cc2e1eb2fcfbee442bf480e0692c0103405e195ea0903859e

  • SSDEEP

    1536:XnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:XGs8cd8eXlYairZYqMddH13L

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
    "C:\Users\Admin\AppData\Local\Temp\07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3852
    • C:\Users\Admin\AppData\Local\Temp\07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
      C:\Users\Admin\AppData\Local\Temp\07a277f638c29d338001cba09d14f4eb82f4c21c3263de2e53f191e09c85428fN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4708
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4868
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3548
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2956
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2492
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2920
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 256
                  8⤵
                  • Program crash
                  PID:5080
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 292
              6⤵
              • Program crash
              PID:1168
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 300
          4⤵
          • Program crash
          PID:4148
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 288
      2⤵
      • Program crash
      PID:4108
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3852 -ip 3852
    1⤵
      PID:1744
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4708 -ip 4708
      1⤵
        PID:1176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3548 -ip 3548
        1⤵
          PID:656
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2492 -ip 2492
          1⤵
            PID:4140

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            cad6cc128b4323f82a58180b0d3090a2

            SHA1

            d9e7eb4d89c5716da135da19d99445f64abfca1a

            SHA256

            aa6560c66a71cac992a315273a82872e70c2a0fbe0103f5ed83069d81b59a647

            SHA512

            77e0cb4bbb28317bd2049c8e5b5781b58352ca391d6d84bf7c779fc5d1519542450489d1f7cb925a64bd235dbbb7b64251c58dbc047da3e35e1efeccecabf377

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            709f9640cde5fea9296f4496745f3ab4

            SHA1

            60b0afe8624cd1d885f1d996c86bdd01d4365b0a

            SHA256

            15e37e5875c669e29fae517ea6d653e86f8a5ec2514b0f6cc4e9925859fcd9b5

            SHA512

            98470bd948d42652ac1c44c4be865da3e9374c59d7fe742f2054e794c61fbb29dc95da21a2861b9f950beb00ea88bc2d34c88b99912b2c95e5680fa61c69f314

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            6a8cc7b592bfea41216dcc86c31f9840

            SHA1

            daba226e8744bb21c3e6f412c4026254f90ef6e4

            SHA256

            d844b8eef552169f118fd7ce3143d5168a30ba3e942cdb4622a560714ed452ba

            SHA512

            8426625d9c0c6b7e402acdb15facfdcaa3698c117904132458bbf6bfe36a7b6ae7b310ddcdfc9bed3626ee621351b1c0e1c7205971b85e951503b2bfb29b5507

            Download Submit

          • memory/2320-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2320-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2320-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2320-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2492-43-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2920-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2920-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2920-52-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2956-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2956-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2956-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3548-50-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3548-31-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3852-16-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3852-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4708-8-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4708-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4868-28-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4868-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download