Overview

overview

10

Static

static

3

21b0a8040e...64.exe

windows7-x64

10

21b0a8040e...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2025 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe

  • Size

    96KB

  • MD5

    e07d0b15d4e7503500807aa373df6a6a

  • SHA1

    18e97aed437d6caaf333cd4667a10ed235d30ca7

  • SHA256

    21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164

  • SHA512

    a0786f76b4076de6de00be786f57ff949161189a8b69275813e5b0a68b146c98164c5b785e1f824b701d657d3fbb5e25377805376306cfccbbb4ad3386c150d1

  • SSDEEP

    1536:1nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:1Gs8cd8eXlYairZYqMddH13r

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe
    "C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe
      C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2152
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1520
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:5096
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1944
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4568
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 268
                  8⤵
                  • Program crash
                  PID:4516
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 292
              6⤵
              • Program crash
              PID:3956
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 288
          4⤵
          • Program crash
          PID:1464
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 300
      2⤵
      • Program crash
      PID:4996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3004 -ip 3004
    1⤵
      PID:4204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3436 -ip 3436
      1⤵
        PID:3580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1520 -ip 1520
        1⤵
          PID:4360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1944 -ip 1944
          1⤵
            PID:3988

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            debaee5209253b7e1351d8657230a503

            SHA1

            191e90596881ca59995c24f50ad347d4e1d331c1

            SHA256

            3f66162d8207b553ac4414754aee28f5310ed6a11f67f71bcdeb4147d5049d9f

            SHA512

            92b74f2d96901d4b8ab888801f5fab27b454fc51990bd389b5b48aa82f4b005ea5496a89f95ff97682cd8249f211ab997a6e30abc2ab5767503d251043e742b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            1228cbb817eccdc3ecd8405cf15beee9

            SHA1

            ecb895cb6ef42d30e1ee5f76d8195ff3ba60a8a1

            SHA256

            e37fd897f667c4c8f1c32b2988402cd78a63acd17afccd5d4b3735eb210dfbeb

            SHA512

            dfa7539bc7c35c730ec2216919d65582b0c5708fc8a94df6066c1eddd7f875c8d18300499ecf5df74e63f8ab14ff9fc11366e075301ddf8896423c1aae05c4c6

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            773a8e292164cf347c04e1f942c5c90d

            SHA1

            2d085e5125b74a0827f13e3da3dd8088addca105

            SHA256

            c7123f7501e1efc3a5b9d14e0fdba8b0eed81e0ff6058bfe2366307a161f69c4

            SHA512

            996743b6dd73d16e8f47c6cf07c95f7054e8771df4dadb923ab62bac66ed7ae0a22403fef4fc6c1fb536f99b15c6ac71346155f40f4d97a7c38b31e85844e3b6

            Download Submit

          • memory/1520-53-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1520-34-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1944-55-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1944-46-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2152-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2152-27-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2152-33-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2152-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2152-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2152-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2152-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3004-19-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3004-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3436-8-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3436-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3504-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3504-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3504-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3504-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4568-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4568-51-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4568-56-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5096-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5096-43-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/5096-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download