Overview

overview

10

Static

static

3

44597dbe26...9N.exe

windows7-x64

10

44597dbe26...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe

  • Size

    134KB

  • MD5

    bd6ce6b625fe5fbbad2e65eb4db34a40

  • SHA1

    0215172cc69119d8f0f088b58f64c5a281f44fef

  • SHA256

    44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699

  • SHA512

    7e2654c3b984a9298284e60bfb0f6adabe78c5d2516c06ce0c6e02cd402a91254a92259c3bb8c03e4af419b9a83173ae216b5f920194498e9dba3128ee4c0f92

  • SSDEEP

    1536:bDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7l:XiRTeH0NqAW6J6f1tqF6dngNmaZC7Mc

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
    "C:\Users\Admin\AppData\Local\Temp\44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Users\Admin\AppData\Local\Temp\44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
      C:\Users\Admin\AppData\Local\Temp\44597dbe262e10361698e2f16e5e43b8beabd0d730e83a7c211833fc2fcb8699N.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3356
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4300
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1632
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3824
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1456
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 268
                  8⤵
                  • Program crash
                  PID:5020
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 292
              6⤵
              • Program crash
              PID:3148
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 288
          4⤵
          • Program crash
          PID:4684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 288
      2⤵
      • Program crash
      PID:2228
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3148 -ip 3148
    1⤵
      PID:3528
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2360 -ip 2360
      1⤵
        PID:1264
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4300 -ip 4300
        1⤵
          PID:4648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3824 -ip 3824
          1⤵
            PID:2636

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            6ea3198c74cecde530ed21f60e3aa476

            SHA1

            f2e8356e48e8a931a4c693326323a4816c1d7ecb

            SHA256

            1a8bc19aaa2c2ff39d565f4318f8164acb4f3b157aa98f7a881b4dd1e967d8cb

            SHA512

            291392d8de4c2f9a3151449fa15af35eb658db229e85390d5d769f6cbcd877dc90a45036194c71fed1e46ba9cf528d8db6babb560fbb2609bb5cf2120d65738f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            134KB

            MD5

            7931b9e3414b127b62be847428e4c9af

            SHA1

            d456b7a23a04cce29315595ecfe7cfa1edff32d2

            SHA256

            415aea8d85f2b500ac86e26a17fa8d25f32f89b60bd65655367b44813499cff8

            SHA512

            1c58f93585500eda07f2b6ff93d5599ac9093c70b9a857a41553a49afc13af099f55e38e4f9a299fd7901cf1478dc23e33c300a9bc62059c48787d559ee15508

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            134KB

            MD5

            e99556e9775656680ce82c67f64bc982

            SHA1

            76508935b8a7910f6f89da61d0a1cd88ef62b029

            SHA256

            d1fc39f169e214a79349b632c76a5cdce446e6bea7addea29c5e4bf03a9d09e9

            SHA512

            5892de0acb8a52ef1c7364646cef5a8df082b56f386753231a377401a6994fc5b351e128df2686accc255c4e2972ef6b5502ec296b0d8638d4512c049fa4425b

            Download Submit

          • memory/1456-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1456-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1456-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1592-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1592-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1592-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1592-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1632-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1632-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1632-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2360-10-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2360-16-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3148-17-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3148-0-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3356-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3356-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3356-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3356-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3356-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3356-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3356-28-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3824-42-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4300-30-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4300-49-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download