Overview

overview

10

Static

static

3

7477b1e11e...bN.exe

windows7-x64

10

7477b1e11e...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe

  • Size

    96KB

  • MD5

    bc3605cf527687ece09deda62011fe30

  • SHA1

    17e76cae976757717c6f95ee80865852bc19dd47

  • SHA256

    7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8eb

  • SHA512

    769481f7c9784712b0348ac5d8a97eeaa59f1d23a754d86210eab3a233a498375f0fa629349d502c901737247d90b696e5f63ffa805d2cd14a775e816f09f51b

  • SSDEEP

    1536:pnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:pGs8cd8eXlYairZYqMddH13z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
    "C:\Users\Admin\AppData\Local\Temp\7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Users\Admin\AppData\Local\Temp\7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
      C:\Users\Admin\AppData\Local\Temp\7477b1e11ef2df625c00fefe47f6655dcd987b6ce9e3f5db612079f59518e8ebN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3124
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:840
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1688
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1656
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4208
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 256
                  8⤵
                  • Program crash
                  PID:2640
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 296
              6⤵
              • Program crash
              PID:532
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 300
          4⤵
          • Program crash
          PID:5008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 300
      2⤵
      • Program crash
      PID:4920
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 544 -ip 544
    1⤵
      PID:1528
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3124 -ip 3124
      1⤵
        PID:3540
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 840 -ip 840
        1⤵
          PID:1020
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1656 -ip 1656
          1⤵
            PID:4344

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            5f8eb22480d1a0477d7b5acbd9da9680

            SHA1

            37b5493b9a8d2ac68a36c68a37a00d1cfff4164f

            SHA256

            e92692dd204e58a3bf4dfe932cb1f52af8c47b49516522ea82834c85b597ef2b

            SHA512

            9b6b4b171a2cc3c134d16b10d58376b2ebaa0dfba4a657c430f7b27b11e39e47a7601021614f3550d65098e065502ed86e0b36c14a64d9025c4a6b0307d88408

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            0cb9f74c541b920fc018c7fbf3716dcb

            SHA1

            99458ce1855d7a90cc5bf90adaee4c2cfc523d8e

            SHA256

            1bef612b24fe5ea992ad9e9c9bcdf989c07083fa6adc0d3793deb5b02edd908f

            SHA512

            d01c737e03f860e5c3870f9a338c2061f1a70ed3591196d2238f45219d968a5bb42441618bc85f3e4c2ef6a918670d4bf1a7eb97f831cf49d1a80caee87460cb

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            aec8b5cae13b8470ac30a27892ab703e

            SHA1

            646087cc90e8def1dd34454971e184f125cad559

            SHA256

            9014e174a9cd9efebc6c95fd827c279d76933d18ad985cf357a5b44af69b099a

            SHA512

            6698809131af5ee90b725977ed041fa7e31eb11def6de4cbf88e4f2dc63612a5584f0beccc9ae1ec1162931c3401e7be8b70dd1323cdfab269a4e6ebd43d4740

            Download Submit

          • memory/544-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/544-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/840-36-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1656-47-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1688-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1688-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1688-42-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1772-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1772-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1772-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1772-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3124-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3124-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4056-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4056-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4056-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4056-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4056-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4056-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4056-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4208-52-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4208-51-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4208-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download