Overview

overview

10

Static

static

3

d998c36925...b2.exe

windows7-x64

10

d998c36925...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2025, 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d998c3692501dd8efb02f7286e8f7d6d6d424e8ccc1ae0523796c1256d23fcb2.exe

  • Size

    96KB

  • MD5

    78a061fad4189f343fcecc7875495c0c

  • SHA1

    7103bafd20528fe2c8bc3aa252fb1f0fdf00d90d

  • SHA256

    d998c3692501dd8efb02f7286e8f7d6d6d424e8ccc1ae0523796c1256d23fcb2

  • SHA512

    954ff5b8eb6996f0d61a26bf2ac07475dd2e1d66989c0afd658ef59baba0c54578461701fdb3bf2360665426970cd39e7b761fa3c07413bfd53323750ea83345

  • SSDEEP

    1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxR:OGs8cd8eXlYairZYqMddH13R

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d998c3692501dd8efb02f7286e8f7d6d6d424e8ccc1ae0523796c1256d23fcb2.exe
    "C:\Users\Admin\AppData\Local\Temp\d998c3692501dd8efb02f7286e8f7d6d6d424e8ccc1ae0523796c1256d23fcb2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Local\Temp\d998c3692501dd8efb02f7286e8f7d6d6d424e8ccc1ae0523796c1256d23fcb2.exe
      C:\Users\Admin\AppData\Local\Temp\d998c3692501dd8efb02f7286e8f7d6d6d424e8ccc1ae0523796c1256d23fcb2.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:668
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:428
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3592
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:216
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4108
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 256
                  8⤵
                  • Program crash
                  PID:1820
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 292
              6⤵
              • Program crash
              PID:3044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 312
          4⤵
          • Program crash
          PID:3640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 288
      2⤵
      • Program crash
      PID:2812
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2584 -ip 2584
    1⤵
      PID:4412
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2348 -ip 2348
      1⤵
        PID:2644
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 428 -ip 428
        1⤵
          PID:2724
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 216 -ip 216
          1⤵
            PID:2564

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            06cca3a912328de24a997f32f868a2b5

            SHA1

            a2b53f2ba51f525dc6b29abc89d3631e88a698da

            SHA256

            7ce40d7eb1e07646c2268e40c8a483bdb27e2ca35e090be46a5518b8fb986771

            SHA512

            b333176db490086327ccb71ed613ab05340e0658ea5a883cd500be201caaf2c7ff7a9ee45d170dfd11af0f20a7bd857e43eafcc04363047ab837e38b2ae31670

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            5f607c56e2fe3ca072825993fb611a44

            SHA1

            000d9c306bf15861bac1a1757b6f312dd5a6f09e

            SHA256

            f52f26a20abf5baa956e227de6dadc2ed197a7ec061a10131b685a1b87d60ba4

            SHA512

            71d5acc2f0db426fc7d65995da7346bb229ccbd8e9688659c9c97e73de81d0273b59c166899ee68469122c2e00dafe5029fad9655294c51a9dbc306dc0d59da6

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            074ff67bf351bed925ce0050a233ab2d

            SHA1

            58d589391d2374b3045cae7ec55627daa8b25549

            SHA256

            e296a07ace92d8fecf76d6d3913bec883ba5ac58b6490cbdd1cf995674919ce2

            SHA512

            5794a5684655d7e44e914f11ca897c8c0b7dc117b286c005d9aaf675b4883ef4eeb193364748a02d121fdefab17e5298abafd9392d3329e9097f77d7125eac82

            Download Submit

          • memory/216-52-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/216-44-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/428-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/428-32-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/668-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/668-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/668-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/668-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/668-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/668-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/668-29-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2348-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2348-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2584-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2584-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/3592-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3592-42-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3592-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3684-10-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3684-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3684-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3684-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4108-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4108-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4108-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download