Overview

overview

10

Static

static

3

5129f83e8b...aN.exe

windows7-x64

10

5129f83e8b...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe

  • Size

    96KB

  • MD5

    ca3c01db3d967edf3d69a5d99266b880

  • SHA1

    078f6b20d345d895fdb61cc1874ff6bdc44e91a3

  • SHA256

    5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22a

  • SHA512

    d70c02dd3f4e4d26d137f4fa971b6aa5577930f180e1ec98c19ee6a24a28936f17d3388671a8c2851ccf7905dc5eb25413c8bddd85ef383bb800f9c748152186

  • SSDEEP

    1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:JGs8cd8eXlYairZYqMddH13z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
    "C:\Users\Admin\AppData\Local\Temp\5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Local\Temp\5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
      C:\Users\Admin\AppData\Local\Temp\5129f83e8b4fc95f8832307fe82875a8f31349625d3333b27e50007354f0f22aN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3656
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3784
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2756
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3136
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 256
                  8⤵
                  • Program crash
                  PID:668
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 292
              6⤵
              • Program crash
              PID:4008
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 300
          4⤵
          • Program crash
          PID:4684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 288
      2⤵
      • Program crash
      PID:2736
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3484 -ip 3484
    1⤵
      PID:1888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3528 -ip 3528
      1⤵
        PID:2336
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2336 -ip 2336
        1⤵
          PID:3824
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2756 -ip 2756
          1⤵
            PID:2276

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            975d457cb800077d56b181285b4aecf1

            SHA1

            48836d8522f640ed1954fa08af72c3e84537534f

            SHA256

            659007a1458582287d163bc495664b4e88d31487e58696ef276837b3ba48bb2f

            SHA512

            b4ac40853ef1cbc90aedf21ffad4ba22b5689ef14980b674af267270a76acd498a99a1e1e84e99e70db592218bc16ddcf0a3c9a671cf14158e006596bfb4acd3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            3da1dd1af6e39f65b9b653a941c701bc

            SHA1

            703f2dbc6da9b27771c951094b192288e81c43e7

            SHA256

            b3b3ba05b7e716670328600b19a4a5099abbd2a4ad846e16f5df24e985bdf681

            SHA512

            7f8c5c8a42c3c2565c80592ad4d119a9475d78e8c107dffbd71d5263fe5383f43a67e5f77365ceeb3d92e0eddd8a2766b669930048eaf34324293db931c07d18

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            cfaa87961021381b909056c37573afa8

            SHA1

            69ccbe05e602d8687305f2c67fab60323eacb86b

            SHA256

            2f9471d95597c6a3ad4d933881c131405dcc418e3f985df8a3478bd3df848185

            SHA512

            d50f803fde4f34211714bf113bb6781f22987d3c971fcef584a5c2abfbf2b6288bdcc61d659b881bf498efe04c2d40c83e3b5398f1752a8669a2a48795468e48

            Download Submit

          • memory/2336-33-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2336-52-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2756-54-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2756-45-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3136-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3136-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3136-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3484-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3484-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3528-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3528-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3656-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3656-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3656-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3656-32-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3656-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3656-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3656-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3784-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3784-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3784-42-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4588-9-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4588-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4588-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4588-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download