Overview

overview

10

Static

static

3

f4698649d5...73.exe

windows7-x64

10

f4698649d5...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4698649d50cc91b85dbe22e275884fbf5f7932033724674fa3ba4c704881f73.exe

  • Size

    96KB

  • MD5

    84bc7b538466daa41130d64f94c24b6c

  • SHA1

    13213bd1cb2f5cf7121d3153daee1c65f7d747f8

  • SHA256

    f4698649d50cc91b85dbe22e275884fbf5f7932033724674fa3ba4c704881f73

  • SHA512

    ea7c84e7dda528c6176ad00b18f66ee93526709f37873ab3cfa6ef6fac50c6ab738318e3c3fd4cf4647f83121dc6fc836e520f74eb8c4f55af767c73236d855b

  • SSDEEP

    1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:JGs8cd8eXlYairZYqMddH13b

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4698649d50cc91b85dbe22e275884fbf5f7932033724674fa3ba4c704881f73.exe
    "C:\Users\Admin\AppData\Local\Temp\f4698649d50cc91b85dbe22e275884fbf5f7932033724674fa3ba4c704881f73.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Users\Admin\AppData\Local\Temp\f4698649d50cc91b85dbe22e275884fbf5f7932033724674fa3ba4c704881f73.exe
      C:\Users\Admin\AppData\Local\Temp\f4698649d50cc91b85dbe22e275884fbf5f7932033724674fa3ba4c704881f73.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:408
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2684
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4672
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3996
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 256
                  8⤵
                  • Program crash
                  PID:4332
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 296
              6⤵
              • Program crash
              PID:3624
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 288
          4⤵
          • Program crash
          PID:836
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 288
      2⤵
      • Program crash
      PID:4204
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332
    1⤵
      PID:3468
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4788 -ip 4788
      1⤵
        PID:3976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2596 -ip 2596
        1⤵
          PID:3116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4672 -ip 4672
          1⤵
            PID:5076

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            c28bd966c5a02baca0e63ced01259256

            SHA1

            c902c697aaa93dc1243bf43ebc262817afa6e7ec

            SHA256

            9d02eae7738a3f53f675c9fcc725d393dce69fb60c5b7e0315fd6f9d3866009f

            SHA512

            575ac22de99a4019bc63d9bbb89a4dc7d2bc1a184b08a135d8b3f5f0f2096efaac4cc1c4feb84802f0c59291550cae143ce3457bad66409af69277ae4bb5dd19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            6b88477da2ee1c25d9d462f479bc88cd

            SHA1

            48a314b5fae77d1ad598f1ac9d30adcb7c7b87e8

            SHA256

            70321bc3e4a455418cde306da4194b779c4c01a474bf1aec1eaaac2de64d1f77

            SHA512

            8fcceec0bc07d1552e864d57373e466c1cee2288b9422acd0cb7efeca45bf0cb99e802f990c0eff73a37c2b62da0378d45252dad14a2e74d44f4c08383039613

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            995536b03bfe70ff35dc2ad06f7dd094

            SHA1

            6816fe0d5544fbd0f620c62af0bf8e5abfc2fea3

            SHA256

            68119f45af9b3c74f3b7ba472120378ebd32192a8633d25b18ec8f54af3a3d1b

            SHA512

            a1be0f8a35766575523b694b018abbdb25d1a7d70825b1ba26dad706bdd46d997e0b7b01e5c18f610b950d96984a04a7fd5764d82effcf7f7489a314125ff14c

            Download Submit

          • memory/408-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/408-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/408-30-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/408-27-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/408-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/408-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/408-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1332-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1332-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2148-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2148-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2148-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2148-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2596-52-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2596-33-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2684-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2684-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2684-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3996-54-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3996-57-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3996-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3996-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4672-45-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4788-19-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4788-9-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download