Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 00:09
General
-
Target
17a8136b46cbccbf3609f1066575738a15ff57db8d1d3161990c7346630721f1.exe
-
Size
96KB
-
MD5
ad73d2201f360c25e7612bc3ab68f355
-
SHA1
060583de7be589a37eebd08a5c64b6172a59e799
-
SHA256
17a8136b46cbccbf3609f1066575738a15ff57db8d1d3161990c7346630721f1
-
SHA512
ac018c0ca1e805172197d75ba9bcde9d6267e048d53c7f815b230e61378cf632064270b4025061bc60c68836fc78475066089ce381141bf08acb98af72db94ec
-
SSDEEP
1536:unAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:uGs8cd8eXlYairZYqMddH13R
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a8136b46cbccbf3609f1066575738a15ff57db8d1d3161990c7346630721f1.exe"C:\Users\Admin\AppData\Local\Temp\17a8136b46cbccbf3609f1066575738a15ff57db8d1d3161990c7346630721f1.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\17a8136b46cbccbf3609f1066575738a15ff57db8d1d3161990c7346630721f1.exeC:\Users\Admin\AppData\Local\Temp\17a8136b46cbccbf3609f1066575738a15ff57db8d1d3161990c7346630721f1.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 2688⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 3004⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 560 -ip 5601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3400 -ip 34001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1828 -ip 18281⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD504f473dcf09991c60f838d83558c6c46
SHA1c83d37d154d92af6ec027cabc683bf2cadeb286f
SHA256be10010796f88e9c21102773262192c93f41870c41e342dfe07819f324680e30
SHA5125bbf8639a92fba5448eb25d4f81279eb833207586ef68e024328b0146e8a61ec132b55f3c6b25b54aafe3550f7d7097c9a22e8ce515a1aa9c77b10e45ff12673
-
Filesize
96KB
MD5e27ca67e07442bd8d8f9a31b353ee861
SHA1c60f3db8b0e311f3c026e788d01927a96eb0b1e1
SHA2563b3158eea310785191c5647414752dd1bba826ad67e6fa77d874bb8405e3f7bc
SHA512d942ee1d6e5772ae943fc7fbc70124026d98ca83347470f6350a5df554dd9aef1d59df9cbfd07f69a88f9cd5e5ef33820a3440e6f96368087b338b90ce8bde12
-
Filesize
96KB
MD5642679437d9e11ed835b61e7c2548ec6
SHA1b94fb7c21732813f8303493ab384f9483beae723
SHA2566716e4fad000b345c48552d7eb914222cd178d60f7e87e660a35eb417babffd8
SHA512db17f455ecf7a7079ae27056ac848ba6b14d7939af9dbacfe9f593acf19d1f389de993fa05fda09b0c298d42c8e468e463540adade52a28f876bda9bc8a7dae1
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB