Overview

overview

10

Static

static

3

9815e4ab48...9N.exe

windows7-x64

10

9815e4ab48...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe

  • Size

    96KB

  • MD5

    6fba36ee6a4b30872aceb83cb2a4c130

  • SHA1

    24bb0d6e6156e752859729f8961807e75bca7028

  • SHA256

    9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9

  • SHA512

    5a1b0e4e33093138ac222986da291e4a2cf1c29d28b5cd96ccd8fdff3f4011320fcd6015e5200e6823d4999fb34c634f8a15ac1dbb2644356c985dc58e496d77

  • SSDEEP

    1536:gnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:gGs8cd8eXlYairZYqMddH13z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
    "C:\Users\Admin\AppData\Local\Temp\9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Users\Admin\AppData\Local\Temp\9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
      C:\Users\Admin\AppData\Local\Temp\9815e4ab48af6d8588dce35a054f43b299cf774137923f71248602cf8ce617b9N.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4324
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2480
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3332
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 268
                  8⤵
                  • Program crash
                  PID:3888
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 292
              6⤵
              • Program crash
              PID:5088
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 288
          4⤵
          • Program crash
          PID:1920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 288
      2⤵
      • Program crash
      PID:4560
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2800 -ip 2800
    1⤵
      PID:1328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2736 -ip 2736
      1⤵
        PID:3788
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3052 -ip 3052
        1⤵
          PID:4360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2480 -ip 2480
          1⤵
            PID:4372

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            dc91ce83d6aec2c5722df75b57117bcf

            SHA1

            f73ca3182de38641c4e0fa6efb2ef222a4329883

            SHA256

            48b1b56c93a3181a27e5d8588d3950e120f9889fa32b56231f42ee5b13957630

            SHA512

            a51e18d2fc369cc4d7c77cf8523be68b0ec79133b38169e35a874d976f967a8f197aa20c05e629c999bcf93c8a21e8b90a3d5b096865a7b3d928bbdf505fd120

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            2fda53bae1a990bd562c2b0fa6abf020

            SHA1

            010478f5e1b2360977c63ac3b5b8718f0542c6a8

            SHA256

            156761a4da091b2c24b114d7a918a1509a2f18adbf3ab77e391066b3c2a75d1e

            SHA512

            94a50e6ea461a2c7fedce66e56a11f9ab9a518a4a9675cc065b554637b05a970c87742582bdff8e1d84c3b92f5eb241f31ff6da9963ef65c946e9eb697b2ece9

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            3ddcf9d08bee551a1b936ec1f713157b

            SHA1

            03c729d8777135f4c8ef2f88fe8a943550e384e3

            SHA256

            4195a5ea26a0f05e87146fe078a8ee512212e0edd7ca186a0bfa73430449881a

            SHA512

            448c23cb5aa000e05e74f8c42b9262226a2fa25bd9dd256f482b9a75aa14052ed7b273fb85fe67b205d9b59849960705a617efa45537d307d3c623aaf45d11fd

            Download Submit

          • memory/2324-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2324-29-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2324-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2324-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2324-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2324-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2324-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2380-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2380-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2380-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2380-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2480-43-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2480-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2736-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2800-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2800-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3052-50-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3052-30-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3332-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3332-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3332-52-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4324-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4324-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4324-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download