Overview

overview

10

Static

static

3

24a4f08f85...01.exe

windows7-x64

10

24a4f08f85...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2025 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe

  • Size

    96KB

  • MD5

    927a6a54399c59df9014b46a0e8aa4b7

  • SHA1

    ec20d79bce06eed76bb0314eddc6eb411e08ed97

  • SHA256

    24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601

  • SHA512

    9c37684f8f52ba02bb8b4ab9b7391f3dbbf0bab427a624a152d6f73590c5b2804d407a6081a476f4de9b995140bcfe641b000c193cddf4bef7e7e200622eb805

  • SSDEEP

    1536:qnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:qGs8cd8eXlYairZYqMddH13L

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
    "C:\Users\Admin\AppData\Local\Temp\24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Local\Temp\24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
      C:\Users\Admin\AppData\Local\Temp\24a4f08f8568585eb049849288a3c0f33f1fc6ef92b4d679410238e51f284601.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:868
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4236
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3596
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3396
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 256
                  8⤵
                  • Program crash
                  PID:2308
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 292
              6⤵
              • Program crash
              PID:2868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 300
          4⤵
          • Program crash
          PID:1796
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 288
      2⤵
      • Program crash
      PID:1688
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 536 -ip 536
    1⤵
      PID:4000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1860 -ip 1860
      1⤵
        PID:4124
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2816 -ip 2816
        1⤵
          PID:3324
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3596 -ip 3596
          1⤵
            PID:1692

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            0c7572536cba161e123936d46041a404

            SHA1

            a1c069ad23fce17a25e12eabd4c2e13d96a91278

            SHA256

            ff2014845219a348ed1b31b56bc1ef87139bb439b4e80a17e4fe733d2e30369d

            SHA512

            d5b6b62953a571c44ce460fdee4a5395058d80e7669916acb76ffae731b0dc987a0a925016b9b2dd982fdbfea31194a853470356355855fcce575e3f32ac21c0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            fd6e1a60393fd78f66c7e6b1cd63d90f

            SHA1

            31c6bb0c469e068fe37450fab4af23f6043dd185

            SHA256

            cffbe469f7c1b82fadbc5c3866d953857e33e839cd8eca773353385664570022

            SHA512

            351db833a84f1257736a1d76f814ab93375083422008b578e968fc104d7533ec1bdeb9c1e166d53a7eb2316f32a23be822541882b3ddffa064362963727518ca

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            cfbf332a82b9e6d7f8f1a1b068655a44

            SHA1

            257a49f3491a1241e0923ada2378b13036fa54b6

            SHA256

            de1a7e4a7b206b602bc04ba24e77ee298b42fa9abb978b0d31ceb6350f2c9cd4

            SHA512

            2bef0f26b9c2057cc0a049395fc9badac4ef9fdf874557d8fe2a7137a67ff7bb0fd10383bf60da041170f152e3fcb473fc6d36910a653f02ac3930da3e357412

            Download Submit

          • memory/536-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/536-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/868-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/868-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/868-28-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/868-18-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/868-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/868-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/868-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1860-8-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1860-16-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2816-50-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2816-30-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3396-52-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3396-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3396-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3396-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3596-42-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4236-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4236-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4236-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4484-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4484-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4484-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4484-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download