Overview

overview

10

Static

static

3

9565794471...26.exe

windows7-x64

10

9565794471...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95657944717b819a78e9a20d6a159167ce0ba71423b7e101ece9a2e7e3e3d826.exe

  • Size

    96KB

  • MD5

    0227405c46639b2222a17b83703ea91d

  • SHA1

    7ad2d760e13d1751c215bff82a1fc2f72c921c6c

  • SHA256

    95657944717b819a78e9a20d6a159167ce0ba71423b7e101ece9a2e7e3e3d826

  • SHA512

    4ec8b16e975fab0714d79c3b579037ae4dc50d3ab75eadbfa62f606e299f9fd0e4727870e0ebc61eaa8ff0e6eab14377a9020980ddbb9ef9631118639ac6618f

  • SSDEEP

    1536:NnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:NGs8cd8eXlYairZYqMddH13z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95657944717b819a78e9a20d6a159167ce0ba71423b7e101ece9a2e7e3e3d826.exe
    "C:\Users\Admin\AppData\Local\Temp\95657944717b819a78e9a20d6a159167ce0ba71423b7e101ece9a2e7e3e3d826.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\95657944717b819a78e9a20d6a159167ce0ba71423b7e101ece9a2e7e3e3d826.exe
      C:\Users\Admin\AppData\Local\Temp\95657944717b819a78e9a20d6a159167ce0ba71423b7e101ece9a2e7e3e3d826.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1540
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1776
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    e9470ecb24071cfddb9f6514f7fd7668

    SHA1

    5cc474de5d81b3d88e5f1f9ab2a355e16b8f9ff2

    SHA256

    24525ddd73ea62d3d419c42cfadc60adccdcad6585a74d9d99c2cc1fd56e449d

    SHA512

    f638015f693251933ba3ce638bb2595ebfa9e4d2547a6e7772a72d0e03c940f91d64d49948f03d932555d7433f1eba672fd42cd0d4baf94ec3c574e2ac792eb1

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    96KB

    MD5

    e9bc117e1c443d98cd6304805e1cb61e

    SHA1

    cdfe8609cc7a28b36bccae6d104dc3f2a2f96d11

    SHA256

    bbcc37e2ecf73889a3662ae725db32b82e726cda29c84396734ba7892cb8ed3d

    SHA512

    ce9f17211c49fa7e11546db22ae00782e2003754779a80ccf751eae452f92114f859ee472c0d7c509823d5f47f4e673377033f386d420a8291619b5e07e2f91e

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    96KB

    MD5

    b9048bce4277b1bcfc244769a99b09a1

    SHA1

    7edd0521405dcc1e93869325badc516929444135

    SHA256

    d5879181b0e25e88ea62f3f7d14444f1e73c0bcb1322455feaf7df2a261f7f76

    SHA512

    c04b12b0f2bef403dd5a3a761a004047eddaff48d85d29c81aa57d03b8dabcb6f67944dfb9494b4b9788574e4359899a081f4c89afbc1a316e5bb5002b777af2

    Download Submit

  • memory/648-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/648-57-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/648-56-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/648-48-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/648-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/648-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/648-35-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1540-73-0x00000000003B0000-0x00000000003D3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1760-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1760-66-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1776-88-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1776-81-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2088-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2088-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2200-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2200-24-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2200-33-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2616-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2616-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2616-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2616-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2616-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2988-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2988-94-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download