Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-02-2025 16:38
General
-
Target
e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe
-
Size
96KB
-
MD5
edb0f3c415f5f4d166acffcd3fe73d90
-
SHA1
e419242d88054f65467983b78bf7ffed4cae44d2
-
SHA256
e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1
-
SHA512
89da9f72f78ac9c2034d378793771963a207871ca82ec6742bcb12a92ee41c8b3e89d9104ee58a993b7ecf85f75c2fb00a22e04a3dd747f768b1cb6c6ddc6457
-
SSDEEP
1536:JnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:JGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe"C:\Users\Admin\AppData\Local\Temp\e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exeC:\Users\Admin\AppData\Local\Temp\e99981ec088fb15d0d809a753cdd9a9b7ea91fff3cd80a4c49b275e82d11ceb1N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2688⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 2844⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 2922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2940 -ip 29401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5008 -ip 50081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4948 -ip 49481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4876 -ip 48761⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5b2dfa2a4c67dacee0549a544136e5bc8
SHA1dd04ba3a0c9ed83f2ccf752f8de128888a26d847
SHA2567feacaee53440cbf53352da6e433d87005f8df96ceed9b0e33234ae0d510f925
SHA512d8cacb2587ffcaa50a4c442a1c80e5f071834740087710a6de4cee45323c3dd9191e6956cd62aa9f798945acf6a186efab2a35fa54108ef8c54d054d828c9813
-
Filesize
96KB
MD516514339d94adcfc81b071a6b641fd77
SHA1b65bfcb85d7b2076db6bb3041b3ec376addef975
SHA256c60aa17e6b825598e631162dfa3930fe134221fb80c6f973a0390cb3596ed86e
SHA512ece5b17dd12ada53573852b413a3ea4c3f91d2296c29923e38fbb1ab268e9a16e60a05edcfc32c4f35280640c494bbcdd70e42b031843063feb201c69807cdf9
-
Filesize
96KB
MD52be1174e124cb6272fe2def4d8e9aa46
SHA11080b54e5d49e2fe02b07edf93509398a96550a1
SHA25687304c1d764777d4ec68da08941b3aecfa285c1f30d0d8385e8272d16807e916
SHA512268bab6c6f37010e76322042ef47831a25ecdf05cfacf144999a3621896893ba7f48af2307d348d5be8b3612a2e18c9a63e7fed9702fd8e2ef475a0246d36907
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB