Overview

overview

10

Static

static

3

dd2643e243...4b.exe

windows7-x64

10

dd2643e243...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2025, 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd2643e243a2b100d23002604a1c5f5ee2a88665930628a6b46571cbd3d5544b.exe

  • Size

    96KB

  • MD5

    42939f6d36616455ed6b192023e46298

  • SHA1

    a11a300473c0ebb1029157676f82066879fa9d63

  • SHA256

    dd2643e243a2b100d23002604a1c5f5ee2a88665930628a6b46571cbd3d5544b

  • SHA512

    901f271293e63035ad26ee291fc9d9da6e46471901f982da228e886fc19669590b213d12ccb1a435cce0fe3f55432a390185c6c829c341633ecb73eb09c65996

  • SSDEEP

    1536:DnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxZ:DGs8cd8eXlYairZYqMddH13Z

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd2643e243a2b100d23002604a1c5f5ee2a88665930628a6b46571cbd3d5544b.exe
    "C:\Users\Admin\AppData\Local\Temp\dd2643e243a2b100d23002604a1c5f5ee2a88665930628a6b46571cbd3d5544b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Users\Admin\AppData\Local\Temp\dd2643e243a2b100d23002604a1c5f5ee2a88665930628a6b46571cbd3d5544b.exe
      C:\Users\Admin\AppData\Local\Temp\dd2643e243a2b100d23002604a1c5f5ee2a88665930628a6b46571cbd3d5544b.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3296
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4828
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1848
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1628
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3684
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 268
                  8⤵
                  • Program crash
                  PID:3344
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 300
              6⤵
              • Program crash
              PID:2736
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 300
          4⤵
          • Program crash
          PID:4404
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 300
      2⤵
      • Program crash
      PID:2928
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4720 -ip 4720
    1⤵
      PID:3472
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1688 -ip 1688
      1⤵
        PID:1696
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4828 -ip 4828
        1⤵
          PID:4280
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1628 -ip 1628
          1⤵
            PID:4512

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            3f54e81ea5e524dc3336742fb5a5622b

            SHA1

            1d0c3e111a2a6802f88e4edcbd056b3a7d8040ff

            SHA256

            69532e541672e3ee1e71007037ac0e083a01a87cc6b56266c53289d3a6fb5672

            SHA512

            ae3c483fa6adf05c335b0b24d86eec351b773540a7669e9d39f3713b4ec48f505dae838d6c08399f4089917d8355da2828aa88aec20e7b33bc1ad5207354966b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\omsecor.exe
            Filesize

            96KB

            MD5

            17bdaea69479f4246cf4630cc1245c46

            SHA1

            2f9f6f481b503b9b3446499fec63cd30c72132d4

            SHA256

            7d205f06bcae088be89305612b8cd231bcd89fef8ab92891020829f6dba26b16

            SHA512

            fd65a820f7035941f0afe967ad21090b99a868f85eea70a5bae999533b148dcb3f034b5ee8a63a805e119aea103f539fbc5cfa21ea44858590f5af3e917695e6

            Download Submit

          • C:\Windows\SysWOW64\omsecor.exe
            Filesize

            96KB

            MD5

            e633537063f9e357aa097c4e60ffd592

            SHA1

            f05aed8d3a43c5b495701a685fe589813e439ba6

            SHA256

            8439fda8d18489b9c5dbca1f99f91e4f8bc7ffc778662a9c6e60887c2105d8fa

            SHA512

            3adca50d3696823ee9f91fd7b7ec8196e30c02bdb53eca8c800f58d32e6a7cda5b05400e3de29640f3a3b7b724fc1d967f7238fb15b3c73e02daac331d25977a

            Download Submit

          • memory/1156-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1156-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1156-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1156-10-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1628-45-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1688-7-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1688-16-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/1848-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1848-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/1848-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3296-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3296-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3296-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3296-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3296-33-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3296-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3296-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3684-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3684-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3684-54-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4720-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4720-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4828-34-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4828-52-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

            Download