neconyd | 910ae32542a2d2f9a5f0c8574b94358fe21b7a210af9feb7e8c327bcd7b58345

Analysis

max time kernel
112s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 01:38 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1daacbe962fb12dc51a1f0466fa5670N.exe
Size

80KB
MD5

f1daacbe962fb12dc51a1f0466fa5670
SHA1

1985ebec38c09d9fea35ab15067ecb99e98d3b7b
SHA256

910ae32542a2d2f9a5f0c8574b94358fe21b7a210af9feb7e8c327bcd7b58345
SHA512

68899c73badd5b99fdb501901ac170f17980975881b52d00f194280f93fe0fd6d57b7a855464eccd1616738972e7a3ba2028a41999633c88ee1e7189b5b51e27
SSDEEP

768:IfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:IfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
1632	omsecor.exe
4008	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1daacbe962fb12dc51a1f0466fa5670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 1632	4544	f1daacbe962fb12dc51a1f0466fa5670N.exe	84
PID 4544 wrote to memory of 1632	4544	f1daacbe962fb12dc51a1f0466fa5670N.exe	84
PID 4544 wrote to memory of 1632	4544	f1daacbe962fb12dc51a1f0466fa5670N.exe	84
PID 1632 wrote to memory of 4008	1632	omsecor.exe	99
PID 1632 wrote to memory of 4008	1632	omsecor.exe	99
PID 1632 wrote to memory of 4008	1632	omsecor.exe	99

C:\Users\Admin\AppData\Local\Temp\f1daacbe962fb12dc51a1f0466fa5670N.exe
"C:\Users\Admin\AppData\Local\Temp\f1daacbe962fb12dc51a1f0466fa5670N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4008

Network

DNS

lousta.net

omsecor.exe

Remote address:

8.8.8.8:53

Request

lousta.net

IN A

Response

lousta.net

IN A

193.166.255.171
DNS

lousta.net

omsecor.exe

Remote address:

8.8.8.8:53

Request

lousta.net

IN A
DNS

lousta.net

omsecor.exe

Remote address:

8.8.8.8:53

Request

lousta.net

IN A
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1B4EDCF12609604A1114C82A27E9610E; domain=.bing.com; expires=Mon, 08-Sep-2025 01:39:11 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 50F03B02300342E6A80711B6C3D4747C Ref B: LON04EDGE1108 Ref C: 2024-08-14T01:39:11Z
date: Wed, 14 Aug 2024 01:39:11 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B4EDCF12609604A1114C82A27E9610E

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=-QKJGJjjFYhR7_KwhwnvMRdkXUhbjG34z9vMtp-rgMI; domain=.bing.com; expires=Mon, 08-Sep-2025 01:39:11 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F5EAB37E13BF40EBB19CCDFFA57F9D36 Ref B: LON04EDGE1108 Ref C: 2024-08-14T01:39:11Z
date: Wed, 14 Aug 2024 01:39:11 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1B4EDCF12609604A1114C82A27E9610E; MSPTC=-QKJGJjjFYhR7_KwhwnvMRdkXUhbjG34z9vMtp-rgMI

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0FF398BE69954B87B743D405FC4BCBDD Ref B: LON04EDGE1108 Ref C: 2024-08-14T01:39:11Z
date: Wed, 14 Aug 2024 01:39:11 GMT
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

mkkuei4kdsz.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

mkkuei4kdsz.com

IN A

Response

mkkuei4kdsz.com

IN A

64.225.91.73
GET

http://mkkuei4kdsz.com/306/284.html

omsecor.exe

Remote address:

64.225.91.73:80

Request

GET /306/284.html HTTP/1.1
From: 133680731444210839
Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?6g9b4hd86736/:74:4589bc;459a131:
Host: mkkuei4kdsz.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

server: nginx/1.18.0 (Ubuntu)
date: Wed, 14 Aug 2024 01:40:10 GMT
content-type: text/html
content-length: 593
last-modified: Wed, 22 Feb 2023 21:25:52 GMT
etag: "63f68860-251"
accept-ranges: bytes
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

73.91.225.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.91.225.64.in-addr.arpa

IN PTR

Response
DNS

ow5dirasuek.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

ow5dirasuek.com

IN A

Response
DNS

ow5dirasuek.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

ow5dirasuek.com

IN A

Response
DNS

ow5dirasuek.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

ow5dirasuek.com

IN A

Response

ow5dirasuek.com

IN A

52.34.198.229
DNS

ow5dirasuek.com

omsecor.exe

Remote address:

8.8.8.8:53

Request

ow5dirasuek.com

IN A

Response

ow5dirasuek.com

IN A

52.34.198.229
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 622808
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 608FBD309EE2408F85642B770E5E39AE Ref B: LON04EDGE1206 Ref C: 2024-08-14T01:40:55Z
date: Wed, 14 Aug 2024 01:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 663065
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CB6209B1288E4817B4CF152A6F0D7053 Ref B: LON04EDGE1206 Ref C: 2024-08-14T01:40:55Z
date: Wed, 14 Aug 2024 01:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418578_1AMTWIX1RFG5EZ1V6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418578_1AMTWIX1RFG5EZ1V6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 1061732
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 14DC3B7880C243E999D978AF2EA083B1 Ref B: LON04EDGE1206 Ref C: 2024-08-14T01:40:55Z
date: Wed, 14 Aug 2024 01:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 944920
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 06A823CAA1C0466E96260653D4B7D1F3 Ref B: LON04EDGE1206 Ref C: 2024-08-14T01:40:55Z
date: Wed, 14 Aug 2024 01:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 594481
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B246B326A4414D6990C843A3AD9BF438 Ref B: LON04EDGE1206 Ref C: 2024-08-14T01:40:55Z
date: Wed, 14 Aug 2024 01:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 625518
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0FFF6EED9B1C418DAC6DF5209C68BFE8 Ref B: LON04EDGE1206 Ref C: 2024-08-14T01:40:56Z
date: Wed, 14 Aug 2024 01:40:56 GMT

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

tls, http2

3.6kB
10.7kB
25
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ec30724be091451590cf138e8c29c0b1&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

HTTP Response

204
193.166.255.171:80

lousta.net

omsecor.exe

260 B
5
193.166.255.171:80

lousta.net

omsecor.exe

260 B
5
64.225.91.73:80

http://mkkuei4kdsz.com/306/284.html

http

omsecor.exe

421 B
948 B
5
3

HTTP Request

GET http://mkkuei4kdsz.com/306/284.html

HTTP Response

200
193.166.255.171:80

lousta.net

omsecor.exe

260 B
5
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

159.1kB
4.7MB
3389
3380

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418578_1AMTWIX1RFG5EZ1V6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

lousta.net

dns

omsecor.exe

168 B
72 B
3
1

DNS Request

lousta.net

DNS Request

lousta.net

DNS Request

lousta.net

DNS Response

193.166.255.171
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

146 B
143 B
2
1

DNS Request

237.197.79.204.in-addr.arpa

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

mkkuei4kdsz.com

dns

omsecor.exe

61 B
77 B
1
1

DNS Request

mkkuei4kdsz.com

DNS Response

64.225.91.73
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

73.91.225.64.in-addr.arpa

dns

71 B
138 B
1
1

DNS Request

73.91.225.64.in-addr.arpa
8.8.8.8:53

ow5dirasuek.com

dns

omsecor.exe

244 B
276 B
4
4

DNS Request

ow5dirasuek.com

DNS Request

ow5dirasuek.com

DNS Request

ow5dirasuek.com

DNS Request

ow5dirasuek.com

DNS Response

52.34.198.229

DNS Response

52.34.198.229
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
cfa53eda29f7e2082a78e4f830eb4491

SHA1
0ab9900706c4eb47cdbfac02d28ebdd531e38476

SHA256
c75106b2dba2db9069f3303654f61ccc3c95fe92533ae14d93907b02a200237c

SHA512
b9bbf1279ab0faedb2cb4f5cc01815e3bebdfae629f31518f0fd86592b5ee55b9cf3214f4548037023886974f14b1a45eeedd6e073bd981f89109fa6a8bc1d64

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
c8f80062cdc7cf75b1cdf5f080ff6247

SHA1
5f1ea757d68c78a1cdb1c57d6ad8d0bbab4854cf

SHA256
e791c2d8bc81ea4e04ad880559586ed778bf828ef24dc356e06a4c691c138e06

SHA512
b893bce763d5533784c702a13959bf1af74c1ab4f1713c02b234df22f751fc3d2c82f0333e678e797afdd9f75a6a81136f7b37a80ad4ecbbac70d7b46d7b8de9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.