Overview

overview

10

Static

static

3

7c9813ba83...45.exe

windows7-x64

10

7c9813ba83...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2025 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe

  • Size

    96KB

  • MD5

    5ec2d98eed16ff460b007d4e1906b847

  • SHA1

    083ea682b0221622e57184ba39a8a15477a426fd

  • SHA256

    7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345

  • SHA512

    65d570166147941bfb8a52c4f09c2502bb070b083b92d9177b7f1a5906da2a28197bdc31cc4bf7f9326ce68fd52e59c318191610829d0c29e610faeb3249a793

  • SSDEEP

    1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:aGs8cd8eXlYairZYqMddH13z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
    "C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
      C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3868
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1844
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2708
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4164
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3660
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 268
                  8⤵
                  • Program crash
                  PID:3580
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 292
              6⤵
              • Program crash
              PID:2920
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 300
          4⤵
          • Program crash
          PID:4104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 288
      2⤵
      • Program crash
      PID:208
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 956 -ip 956
    1⤵
      PID:4844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1624 -ip 1624
      1⤵
        PID:1248
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1844 -ip 1844
        1⤵
          PID:4464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4164 -ip 4164
          1⤵
            PID:3224

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            ad908e17e061ded9f12d02830d3ecbbe

            SHA1

            44d19444bd1702313000eb724bd6b9c3d94da3fc

            SHA256

            4e1968602babfe29f878a900b6202d27e2f79f2e901dd808180da76b1dda430a

            SHA512

            a91e32fda7e7813108a36da7eb7105b327f053e9968b59ecea53b391085570b1aab6db9798cf5fdda84060fc06770edd8e9703eaf546c7376588731abc29ba41

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            23d1cf278ac56ac9435ba38ab08205bf

            SHA1

            88821ebd6beff95e06b8cdda9769a226792e12e7

            SHA256

            f8ae97a2442f7a0d7c37b633de740a13ec45c0b06390080e85f34312e5377f28

            SHA512

            458e47b01a62750aa97b1d163077695bd0b493f9674ebb2a3105b5c6b592f86fb80d0889e6b1402be57326fb084119b16ff66cc3bd1cb825a894ce4723d904ad

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            cf710602038515768248ddd707728d63

            SHA1

            4d1fb8a84726049c0872572d23fbf4bd39219399

            SHA256

            f64c52e8b3d01e5b9a22387ec1ba8892d4b74c8e83fea9cd8a47b7f869b2884a

            SHA512

            5fe63762ad3b62f26a02d371508405d762bcd4ce3d2a2bf878b9e6a7af17f3862717719d1c7ed97dc3a6240ffb864e87b3398ee6e52a54a70c679211a8c735cf

            Download Submit

          • memory/956-19-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/956-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1624-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1624-10-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1844-32-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1844-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2252-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2252-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2252-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2252-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2708-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2708-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2708-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3660-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3660-56-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3660-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3660-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3868-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3868-31-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3868-27-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3868-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3868-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3868-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3868-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4164-45-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download