Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-01-2025 11:29
General
-
Target
a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe
-
Size
96KB
-
MD5
787bb733bd65ffabe55a3153d1b58db4
-
SHA1
1e56f1a4108108dd57052ce04ac92e35056bd450
-
SHA256
a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80
-
SHA512
3e88d679b1c97d6b6a3fce946aaa603e3139af26975dd9416a8c7e5b3d2965472d67b31ac9ec65ea5c449621b02b4dd117aa45011220fe91d3b1b64ee2dbef1f
-
SSDEEP
1536:tnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:tGs8cd8eXlYairZYqMddH137
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe"C:\Users\Admin\AppData\Local\Temp\a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exeC:\Users\Admin\AppData\Local\Temp\a335c2d042ee4fdbba0995ce1f4b403f43614a075ac443085570c1aa673c1d80.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 2528⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 3006⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 2884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2148 -ip 21481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4356 -ip 43561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3768 -ip 37681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2956 -ip 29561⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5a3d7b8db060dc0f00773c8ef4b22fbc9
SHA12a17e2a92eb400f85822d5ea13c051183a1ff9d3
SHA256449eae3ac1b31aa6d68323bd6a281d75bb41cb38cc25a47061fcee19fdf36317
SHA512d8853c032279fd9af9b695d669ccc8698fac217a53269a0a7e2c126215fea4bba74136f38cdaa4b0653a52d487f283adcbc735c2cdd3ff9ef5afe0fc34b8952a
-
Filesize
96KB
MD56775671efd0194f7d6e0c60745c5309c
SHA1601c01db0abf8dfc7aeecf85e24d1b1e456e559b
SHA2563f84a7c96fd7357f8936158ba90a1f275e8b645348b1d15ce7b9a20776531594
SHA512661fd8fa51958b02b0d3fe43b29b12f059fa6741f21395d2750cf44ae6954ae61b7c93d0480eb29edad18423f5e3fc635a7dcfec2054013d74dacfc94ad0c52b
-
Filesize
96KB
MD5a36e4006d0a7b6c35d727d275961b3fa
SHA1dd95cb2f8c20ed2d340b0eec55259b61bce73b99
SHA2562885d8160a7fd943192f60b2cbe2844c14591c4cbf68b7c4072ca2b593244ecd
SHA51297aaed6836fdde7ab0577a95d40cf40d809c283daa6f34058009cfc61e28df5e211cfb19e94c14719c1c44bd1817caf845ad912f56143fde260ff56fa9d993b4
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB