neconyd | d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 08:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
Size

76KB
MD5

9bf9991c94bf9af2935e453bc8885ca7
SHA1

ba2d8ae3c8810009f6fee4c2d44fb3a973d07d6b
SHA256

d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17
SHA512

f7db2057c5d6594d58676e75cc99ab9babe30c6096f85b73890256cdb7a9b0955fff4478e39719db957c740c1e87811d45fadbd24735086494bfa176eb3965be
SSDEEP

768:zMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:zbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
4968	omsecor.exe
4972	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4968	4644	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	82
PID 4644 wrote to memory of 4968	4644	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	82
PID 4644 wrote to memory of 4968	4644	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	82
PID 4968 wrote to memory of 4972	4968	omsecor.exe	98
PID 4968 wrote to memory of 4972	4968	omsecor.exe	98
PID 4968 wrote to memory of 4972	4968	omsecor.exe	98

C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
"C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4972

Network

DNS

lousta.net

omsecor.exe

Remote address:

8.8.8.8:53

Request

lousta.net

IN A

Response

lousta.net

IN A

193.166.255.171
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83q-wzoDMr8EQ3UuILAF0hDVUCUwT8TtKIdFTXh3UK18w0OXB_CejjUPGu6d8ZtSBpiugAkktsrfK_Jut5SvkKtxXN-lQSzGZ1L3pZYysjLUIautdn1OmuQGOy_ZO-ssgTLtEkq4yoSCpgMmLoqKNXg5uZ9NhfstE2fZosUvUxhy2Orwp%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddda514cb3bc014dd679872f05d8b93c0&TIME=20240508T114824Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83q-wzoDMr8EQ3UuILAF0hDVUCUwT8TtKIdFTXh3UK18w0OXB_CejjUPGu6d8ZtSBpiugAkktsrfK_Jut5SvkKtxXN-lQSzGZ1L3pZYysjLUIautdn1OmuQGOy_ZO-ssgTLtEkq4yoSCpgMmLoqKNXg5uZ9NhfstE2fZosUvUxhy2Orwp%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddda514cb3bc014dd679872f05d8b93c0&TIME=20240508T114824Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2EC21966B3476F430F500DE1B2A76E08; domain=.bing.com; expires=Mon, 16-Jun-2025 08:11:15 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E2CBBB8B4C2A4DA48D9C6D238CAA1311 Ref B: LON04EDGE1213 Ref C: 2024-05-22T08:11:15Z
date: Wed, 22 May 2024 08:11:15 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83q-wzoDMr8EQ3UuILAF0hDVUCUwT8TtKIdFTXh3UK18w0OXB_CejjUPGu6d8ZtSBpiugAkktsrfK_Jut5SvkKtxXN-lQSzGZ1L3pZYysjLUIautdn1OmuQGOy_ZO-ssgTLtEkq4yoSCpgMmLoqKNXg5uZ9NhfstE2fZosUvUxhy2Orwp%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddda514cb3bc014dd679872f05d8b93c0&TIME=20240508T114824Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83q-wzoDMr8EQ3UuILAF0hDVUCUwT8TtKIdFTXh3UK18w0OXB_CejjUPGu6d8ZtSBpiugAkktsrfK_Jut5SvkKtxXN-lQSzGZ1L3pZYysjLUIautdn1OmuQGOy_ZO-ssgTLtEkq4yoSCpgMmLoqKNXg5uZ9NhfstE2fZosUvUxhy2Orwp%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddda514cb3bc014dd679872f05d8b93c0&TIME=20240508T114824Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2EC21966B3476F430F500DE1B2A76E08; _EDGE_S=SID=354378EFC8796C3812196C68C9D36DB4

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=C8Bc9ysY6j1x2tbyul3LqAvr5eXKtyhca-Ys00aT85g; domain=.bing.com; expires=Mon, 16-Jun-2025 08:11:16 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8E67439F409147EC8D967864CB646F56 Ref B: LON04EDGE1213 Ref C: 2024-05-22T08:11:16Z
date: Wed, 22 May 2024 08:11:15 GMT
GET

https://www.bing.com/aes/c.gif?RG=2ea42dd21e974de3bde2cd59d44c5e08&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114824Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

Remote address:

23.62.61.139:443

Request

GET /aes/c.gif?RG=2ea42dd21e974de3bde2cd59d44c5e08&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114824Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2EC21966B3476F430F500DE1B2A76E08

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 05A8BBA8EBEB45AA942D1E6D8B584489 Ref B: DUS30EDGE0715 Ref C: 2024-05-22T08:11:15Z
content-length: 0
date: Wed, 22 May 2024 08:11:16 GMT
set-cookie: _EDGE_S=SID=354378EFC8796C3812196C68C9D36DB4; path=/; httponly; domain=bing.com
set-cookie: MUIDB=2EC21966B3476F430F500DE1B2A76E08; path=/; httponly; expires=Mon, 16-Jun-2025 08:11:16 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.873d3e17.1716365475.d275c2f
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

139.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

139.61.62.23.in-addr.arpa

IN PTR

Response

139.61.62.23.in-addr.arpa

IN PTR

a23-62-61-139deploystaticakamaitechnologiescom
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

mkkuei4kdsz.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

mkkuei4kdsz.com

IN A

Response

mkkuei4kdsz.com

IN A

64.225.91.73
GET

http://mkkuei4kdsz.com/798/671.html

omsecor.exe

Remote address:

64.225.91.73:80

Request

GET /798/671.html HTTP/1.1
From: 133608390733447646
Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5430`nd{@359`48c93723a;e83i5f932i65d/c:dd
Host: mkkuei4kdsz.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

server: nginx/1.18.0 (Ubuntu)
date: Wed, 22 May 2024 08:12:17 GMT
content-type: text/html
content-length: 593
last-modified: Wed, 22 Feb 2023 21:25:52 GMT
etag: "63f68860-251"
accept-ranges: bytes
DNS

73.91.225.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.91.225.64.in-addr.arpa

IN PTR

Response
DNS

45.19.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.19.74.20.in-addr.arpa

IN PTR

Response
DNS

ow5dirasuek.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

ow5dirasuek.com

IN A

Response

ow5dirasuek.com

IN A

35.91.124.102
GET

http://ow5dirasuek.com/757/996.html

omsecor.exe

Remote address:

35.91.124.102:80

Request

GET /757/996.html HTTP/1.1
From: 133608390733447646
Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5430`nd{@359`48c93723a;e83i5f932i65d/c:dd
Host: ow5dirasuek.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 22 May 2024 08:12:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=e3f7c917c09dec7323026958e30e132e|191.101.209.39|1716365547|1716365547|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

102.124.91.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

102.124.91.35.in-addr.arpa

IN PTR

Response

102.124.91.35.in-addr.arpa

IN PTR

ec2-35-91-124-102 us-west-2compute amazonawscom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 442324
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D906CEDB46BF4EE2A3E2D541BD2AF796 Ref B: LON04EDGE1210 Ref C: 2024-05-22T08:12:54Z
date: Wed, 22 May 2024 08:12:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 394521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8C7E9BCC231945F781E4B98274DF4C4C Ref B: LON04EDGE1210 Ref C: 2024-05-22T08:12:54Z
date: Wed, 22 May 2024 08:12:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 434F98D6F4BD422D875A686D106852D8 Ref B: LON04EDGE1210 Ref C: 2024-05-22T08:12:54Z
date: Wed, 22 May 2024 08:12:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 91051424C992472CB482884107A91207 Ref B: LON04EDGE1210 Ref C: 2024-05-22T08:12:54Z
date: Wed, 22 May 2024 08:12:54 GMT
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
GET

http://mkkuei4kdsz.com/491/319.html

omsecor.exe

Remote address:

64.225.91.73:80

Request

GET /491/319.html HTTP/1.1
From: 133608391565635586
Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A46:a59d:4834b<f94j6g:43j76e0d;ee
Host: mkkuei4kdsz.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

server: nginx/1.18.0 (Ubuntu)
date: Wed, 22 May 2024 08:13:40 GMT
content-type: text/html
content-length: 593
last-modified: Wed, 22 Feb 2023 21:25:52 GMT
etag: "63f68860-251"
accept-ranges: bytes
DNS

24.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.173.189.20.in-addr.arpa

IN PTR

Response

193.166.255.171:80

lousta.net

omsecor.exe

260 B
5
204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83q-wzoDMr8EQ3UuILAF0hDVUCUwT8TtKIdFTXh3UK18w0OXB_CejjUPGu6d8ZtSBpiugAkktsrfK_Jut5SvkKtxXN-lQSzGZ1L3pZYysjLUIautdn1OmuQGOy_ZO-ssgTLtEkq4yoSCpgMmLoqKNXg5uZ9NhfstE2fZosUvUxhy2Orwp%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddda514cb3bc014dd679872f05d8b93c0&TIME=20240508T114824Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83q-wzoDMr8EQ3UuILAF0hDVUCUwT8TtKIdFTXh3UK18w0OXB_CejjUPGu6d8ZtSBpiugAkktsrfK_Jut5SvkKtxXN-lQSzGZ1L3pZYysjLUIautdn1OmuQGOy_ZO-ssgTLtEkq4yoSCpgMmLoqKNXg5uZ9NhfstE2fZosUvUxhy2Orwp%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddda514cb3bc014dd679872f05d8b93c0&TIME=20240508T114824Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83q-wzoDMr8EQ3UuILAF0hDVUCUwT8TtKIdFTXh3UK18w0OXB_CejjUPGu6d8ZtSBpiugAkktsrfK_Jut5SvkKtxXN-lQSzGZ1L3pZYysjLUIautdn1OmuQGOy_ZO-ssgTLtEkq4yoSCpgMmLoqKNXg5uZ9NhfstE2fZosUvUxhy2Orwp%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddda514cb3bc014dd679872f05d8b93c0&TIME=20240508T114824Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204
23.62.61.139:443

https://www.bing.com/aes/c.gif?RG=2ea42dd21e974de3bde2cd59d44c5e08&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114824Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

tls, http2

1.4kB
5.3kB
16
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=2ea42dd21e974de3bde2cd59d44c5e08&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114824Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

HTTP Response

200
193.166.255.171:80

lousta.net

omsecor.exe

260 B
5
64.225.91.73:80

http://mkkuei4kdsz.com/798/671.html

http

omsecor.exe

421 B
948 B
5
3

HTTP Request

GET http://mkkuei4kdsz.com/798/671.html

HTTP Response

200
35.91.124.102:80

http://ow5dirasuek.com/757/996.html

http

omsecor.exe

467 B
623 B
6
5

HTTP Request

GET http://ow5dirasuek.com/757/996.html

HTTP Response

200
193.166.255.171:80

lousta.net

omsecor.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

60.9kB
1.7MB
1279
1272

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
193.166.255.171:80

lousta.net

omsecor.exe

260 B
5
64.225.91.73:80

http://mkkuei4kdsz.com/491/319.html

http

omsecor.exe

375 B
948 B
4
3

HTTP Request

GET http://mkkuei4kdsz.com/491/319.html

HTTP Response

200

8.8.8.8:53

lousta.net

dns

omsecor.exe

56 B
72 B
1
1

DNS Request

lousta.net

DNS Response

193.166.255.171
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

139.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

139.61.62.23.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

mkkuei4kdsz.com

dns

omsecor.exe

61 B
77 B
1
1

DNS Request

mkkuei4kdsz.com

DNS Response

64.225.91.73
8.8.8.8:53

73.91.225.64.in-addr.arpa

dns

71 B
138 B
1
1

DNS Request

73.91.225.64.in-addr.arpa
8.8.8.8:53

45.19.74.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

45.19.74.20.in-addr.arpa
8.8.8.8:53

ow5dirasuek.com

dns

omsecor.exe

61 B
77 B
1
1

DNS Request

ow5dirasuek.com

DNS Response

35.91.124.102
8.8.8.8:53

102.124.91.35.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

102.124.91.35.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

24.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

24.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
a5e33943d8064b6db399cf7534bd65cd

SHA1
6dcb38fbb2e35153fe016598d6ef675b038db71e

SHA256
48176186f82671f61df941d889671dd5578bafc160a5fb23d633dd88421a61bf

SHA512
c7d3962af2836b7915b5e73f7ba5678e5aacae1ba37c5f711e474549638300aa58ba195b7b429b5aba57d6d61212d6d39e8e85e789e551e58a6f895037d53e0a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
cc88e75dc8893ebd1ac3549f3d0b48a5

SHA1
b44d70ffbb38f2fd76a754cd8c3c19dff75c2a16

SHA256
948d570b0d366083ce368ee8462feac9699cc98dde6d0e7bd9adde051d6bc93b

SHA512
26cd87873149ffc50e04feee1192f477c66f3f6a36aff9f631e57c864a4cf1ce0812fa9400d753cf3214bc1a030824ca8932f1ef30c1c94b237e4486088ab92d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.