Overview

overview

10

Static

static

3

ad88028011...3N.exe

windows7-x64

10

ad88028011...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe

  • Size

    96KB

  • MD5

    4fdc5b677988c7885e6b14e5a0c505c0

  • SHA1

    14880f4ab2c99d1ca349809190b4bc71b8cb94ea

  • SHA256

    ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3

  • SHA512

    59831e9966e15e173a5b00c9fe8c03937c4a5d037a496cd99e4d92448d469c7375020eee5a7a542340d978d58087d389716de4ad5eb2a2056adae9bdb837971b

  • SSDEEP

    1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxO:LGs8cd8eXlYairZYqMddH13O

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
    "C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
      C:\Users\Admin\AppData\Local\Temp\ad8802801177bd9be07752b123f91723388ede203baca6f0dc749461202ff1c3N.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3540
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1304
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2952
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:756
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 256
                  8⤵
                  • Program crash
                  PID:3116
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 292
              6⤵
              • Program crash
              PID:5072
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 300
          4⤵
          • Program crash
          PID:2112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 288
      2⤵
      • Program crash
      PID:3316
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760
    1⤵
      PID:3224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2072 -ip 2072
      1⤵
        PID:3960
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3036 -ip 3036
        1⤵
          PID:4648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2952 -ip 2952
          1⤵
            PID:3100

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            f263657d45d97792bb0cb313b3a95085

            SHA1

            c393d7ae97772a0d28ddf816deff523b3cb612c8

            SHA256

            c917269a10a4ba5d3ea0d38f0dbb4d5f2db0eef1920d506626fff7c8be194094

            SHA512

            445946a6ba199373ee1f2af109a2c54e2919bb29ab46bcc8bc511df1b9f67f391fc97b129e5a1a5c8e425c20d8ac31268aab398a7c5e4a411903e7ed4e6b0c71

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            4124807dc4306feab598aadbce7409f8

            SHA1

            02f818dae5160c130f63cb6280e2666ba6d144f5

            SHA256

            6d4390d6050a19e0ecb040f0d2fe7a84909b59bb34d35de7816dd0b8bcd2b2f8

            SHA512

            43d7930035a128084880907f3c1a5f2e468fba57629bb4bbe65c0f515b03177aa0aced2299c51c18f5d640940b70af0d7b939341e5d3e4dcba190505e8dc290d

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            cafa9a1d4f4ec59766043ffb5cdb88d8

            SHA1

            ebeeb5b04e17a1ba5f5f7e55a27784b168982862

            SHA256

            aa9e235468947dfb93db469266d05c7b46def67d9d31934d73851ac9f7a28f00

            SHA512

            b29cb7fa25158ff1b1f039b4405b67183f5254f932cd61d812e38749caf380acc94bbb6ee824ab824d8205358e5954fe84fb05595edfb252ca49029ddfee78aa

            Download Submit

          • memory/756-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/756-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/756-54-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1304-43-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1304-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1304-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1760-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1760-19-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2072-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2072-7-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2952-45-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2952-53-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3036-52-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3036-33-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3540-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3540-30-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3540-27-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3540-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3540-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3540-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3540-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4792-10-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4792-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4792-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4792-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download