Overview

overview

10

Static

static

3

bbced7c800...33.exe

windows7-x64

10

bbced7c800...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe

  • Size

    96KB

  • MD5

    786f4f06717e6df31c71a641de88f62d

  • SHA1

    317c99ccac218aa62c89f9f5a48eeafee32f7d6c

  • SHA256

    bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033

  • SHA512

    371b9eed488019d8b27c6769036055463f2990c49d9db23528fbc2fd74ca09dd1968a1147ee8faa1fc28078817dcde9db92abf705fd73ea11baa497d862e52b1

  • SSDEEP

    1536:nnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:nGs8cd8eXlYairZYqMddH13z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe
    "C:\Users\Admin\AppData\Local\Temp\bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe
      C:\Users\Admin\AppData\Local\Temp\bbced7c800c29a8a471f716ec5a88661897beb816622eeb3489fcdf652ddd033.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3728
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3864
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2444
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2556
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:516
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 252
                  8⤵
                  • Program crash
                  PID:3016
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 296
              6⤵
              • Program crash
              PID:3816
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 288
          4⤵
          • Program crash
          PID:704
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 288
      2⤵
      • Program crash
      PID:3520
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3524 -ip 3524
    1⤵
      PID:3324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3728 -ip 3728
      1⤵
        PID:3292
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3864 -ip 3864
        1⤵
          PID:4272
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2556 -ip 2556
          1⤵
            PID:2956

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            3457a12e315d2198098682eda4c26ac7

            SHA1

            7802d8d039752f7922da1c7837c1596bdd92af0f

            SHA256

            fa1d389ba5fdea6b427f05e15d18b654abe27d997bddb08eb77d1218069c9328

            SHA512

            da933d40174c1e719a5c37837c2f229798364a24114f668dbbbcf7907006f2dd89158e50b6397984131e471561cca6034d4845d4e748764a56f7beda75884cf5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            b4f488426361b370a90ce94df315ce49

            SHA1

            6f0b2505c0c5fa09c08ed9b2db445f1620a83c26

            SHA256

            bf7a20aed9ed88c4ffaf0d235217b98dc5abb4e12ebd2e0c2fc8cfa9baa3b908

            SHA512

            12375a544d6149ae0d8047d0cba8082d642450a80738a9c6883a07cfd42562e999f0ca2eb10697952099c745300350ebca725271979591dcb992e9d3a98571f3

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            f380d38557fcea077ed5120ef57a8fc5

            SHA1

            6b000eccf634e9736111fe191f0a40642f362bfe

            SHA256

            3cdbb516316a69521c13f025e3e01f5f6adfa7501499947481cb05a6a09ec869

            SHA512

            7f25d8b2a5a5bca19a0ee6a9c144b4e363a46247f9754d82e6e1a1dcad47b92cb842920ac104a7944fe734a6b09a2a1203c0f782caf1d9817772fc3a07884e03

            Download Submit

          • memory/516-58-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/516-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/516-51-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/516-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2044-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2044-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2044-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2044-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2200-27-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2200-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2200-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2200-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2200-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2200-34-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2200-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2444-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2444-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2444-41-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2556-46-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3524-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3524-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3728-19-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3728-8-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3864-53-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3864-35-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download