Overview

overview

10

Static

static

3

bbced7c800...33.exe

windows7-x64

10

bbced7c800...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe

  • Size

    96KB

  • MD5

    786f4f06717e6df31c71a641de88f62d

  • SHA1

    317c99ccac218aa62c89f9f5a48eeafee32f7d6c

  • SHA256

    bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033

  • SHA512

    371b9eed488019d8b27c6769036055463f2990c49d9db23528fbc2fd74ca09dd1968a1147ee8faa1fc28078817dcde9db92abf705fd73ea11baa497d862e52b1

  • SSDEEP

    1536:nnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:nGs8cd8eXlYairZYqMddH13z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe
    "C:\Users\Admin\AppData\Local\Temp\bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe
      C:\Users\Admin\AppData\Local\Temp\bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1552
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2168
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2064
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    b4f488426361b370a90ce94df315ce49

    SHA1

    6f0b2505c0c5fa09c08ed9b2db445f1620a83c26

    SHA256

    bf7a20aed9ed88c4ffaf0d235217b98dc5abb4e12ebd2e0c2fc8cfa9baa3b908

    SHA512

    12375a544d6149ae0d8047d0cba8082d642450a80738a9c6883a07cfd42562e999f0ca2eb10697952099c745300350ebca725271979591dcb992e9d3a98571f3

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    4d023c72f6ea26635e129da12df89d14

    SHA1

    88d79343109bd02e81ac0749a8a42f90e0d526a0

    SHA256

    3aa773ab2ce812e573462b14ee31a55353e2a9f23ebf7470730f30a0d1263b58

    SHA512

    cc7b4dd8fdc60ec34f42bca2f033d28dcfe01e72318c1952cfbb59555109ae9d86675f392aa60bb85e6b30d04aab87dc260dda5a80a32e307f6859cba7123e77

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    96KB

    MD5

    ea5d3a485290db36dd2f0074eb0c6559

    SHA1

    41b34feeec79368e7d46459c04535a334b874220

    SHA256

    68f2d61d0e7398128c52ef37e94e93f9fa2a4beb07e7503b7d678b18077c71b6

    SHA512

    a005800a239e1aedcfbc7bb84ddf5063ed1beabbf80bbd7194a05e1420b1ffda5ff3de37bfabb873f47e730f94293a54850cb550bcb5d156e209145880ed63d0

    Download Submit

  • memory/1264-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1264-11-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1264-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1264-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1264-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1552-65-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1552-56-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2064-86-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2064-78-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2208-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2208-88-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2328-33-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2328-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2328-24-0x00000000003D0000-0x00000000003F3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2456-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2456-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2856-54-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2856-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2856-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2856-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2856-35-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download