Overview

overview

10

Static

static

3

80751f1e20...2a.exe

windows7-x64

10

80751f1e20...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80751f1e20437b84e93053d24566a52076b9d61465e3b59d3e6627ae1756f12a.exe

  • Size

    96KB

  • MD5

    59ede50b044e7f3ffd426ea37c7ec221

  • SHA1

    bb29aa3c358decf7da5040882309011f20f3eeec

  • SHA256

    80751f1e20437b84e93053d24566a52076b9d61465e3b59d3e6627ae1756f12a

  • SHA512

    4d41db7101616917dd0d228e649bb2615ef5b13561c5b909faac2304878116f680dc7b4ff724b321c876025c13961846c52f3d750448d87b508ef46916126b9b

  • SSDEEP

    1536:2nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:2Gs8cd8eXlYairZYqMddH13b

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80751f1e20437b84e93053d24566a52076b9d61465e3b59d3e6627ae1756f12a.exe
    "C:\Users\Admin\AppData\Local\Temp\80751f1e20437b84e93053d24566a52076b9d61465e3b59d3e6627ae1756f12a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Users\Admin\AppData\Local\Temp\80751f1e20437b84e93053d24566a52076b9d61465e3b59d3e6627ae1756f12a.exe
      C:\Users\Admin\AppData\Local\Temp\80751f1e20437b84e93053d24566a52076b9d61465e3b59d3e6627ae1756f12a.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4116
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:456
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4700
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3328
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 256
                  8⤵
                  • Program crash
                  PID:948
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 292
              6⤵
              • Program crash
              PID:1272
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 304
          4⤵
          • Program crash
          PID:912
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 300
      2⤵
      • Program crash
      PID:2340
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3192 -ip 3192
    1⤵
      PID:4028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3060 -ip 3060
      1⤵
        PID:4236
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4116 -ip 4116
        1⤵
          PID:2744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4700 -ip 4700
          1⤵
            PID:4396

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            deb8b65ebf2ce60113921e3c3e2205cd

            SHA1

            70153266e1864d6704004b6f0e0470fcd65a1248

            SHA256

            3e3a55b7c2cf1cd31075550996f73579351f19cb739e41f11f63dacfee6235e1

            SHA512

            98b25833d8316ae847221b14a066f03d83eef090c9e2f34c55802da22bb89783b0a23024c39b52afb1503756bd9baf1ed3925d5159a56f89077a3edcf6f193ab

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            bc20ab786412d9f60051c811dbb7e8bb

            SHA1

            01d9bf2f71c0ddbc4f36dd520dc5a68c9364a021

            SHA256

            3a220fbbcba1335881ab989434508ce68cf7c4cf2e09f0b4a8da40bf17336564

            SHA512

            b3821d9abf677b4d19bd7edcd76e96052b43ef919d738eb54769ccffd80839da74873fd149888ace9fdc21ec0c293225a77b8a7056a48f0c936007be83d79f61

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            5db05aa134c57ad8fde36b70b26643ea

            SHA1

            9ae53446347a65b26408a23dec696eeaebe90c18

            SHA256

            64203df96489fc0e7518414244f821830b2db5668647a1e090acefc252296b83

            SHA512

            2be7a07a5d258c5b7d09fe9f04fba4d81861fc03f7d355f8a6f474067e76e764c643f1a0677bb15b1435fb880367febb9182c4d17c838fba735c10a53c2cff31

            Download Submit

          • memory/456-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/456-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/456-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1848-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1848-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1848-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1848-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-32-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3060-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3192-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3192-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3328-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3328-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3328-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4116-33-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4116-52-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4700-45-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4700-54-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download