Analysis
-
max time kernel
85s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 10:13
Behavioral task
behavioral1
Sample
65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe
Resource
win7-20241010-en
General
-
Target
65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe
-
Size
80KB
-
MD5
bc8b681de09a7deaf026fc2beb9781c0
-
SHA1
c59da05a118d7a0fc5c7c707a0cfcee4aef9facd
-
SHA256
65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660
-
SHA512
ff3d8a195bec3f240d3ef78369017e9fc51db4ef6a57f41b53dfbfc08b3304583e5ee86df86d2da2f90c1255c41aaf055ec5dcce22f1fe669cc97846999671b8
-
SSDEEP
1536:6d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:adseIOMEZEyFjEOFqTiQmOl/5xPvw3
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2580 omsecor.exe 2508 omsecor.exe 2272 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2100 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 2100 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 2580 omsecor.exe 2580 omsecor.exe 2508 omsecor.exe 2508 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2580 2100 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 30 PID 2100 wrote to memory of 2580 2100 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 30 PID 2100 wrote to memory of 2580 2100 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 30 PID 2100 wrote to memory of 2580 2100 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 30 PID 2580 wrote to memory of 2508 2580 omsecor.exe 32 PID 2580 wrote to memory of 2508 2580 omsecor.exe 32 PID 2580 wrote to memory of 2508 2580 omsecor.exe 32 PID 2580 wrote to memory of 2508 2580 omsecor.exe 32 PID 2508 wrote to memory of 2272 2508 omsecor.exe 33 PID 2508 wrote to memory of 2272 2508 omsecor.exe 33 PID 2508 wrote to memory of 2272 2508 omsecor.exe 33 PID 2508 wrote to memory of 2272 2508 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2272
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5ece0417594aaf2f1480b46319ebe7de7
SHA140d70e6dd13cf4c6a7843b6a4110fac507be6c09
SHA2566c027ec55eb76d9a35b9c4a14210277ab648f69852fb72b5084e2d850191be8c
SHA512c9b891b696fd9d219fa77dd685893be0e23c0094f3070b5b529259f687f0e597ee632b1a2c69c55443b3d3df340d2e67265f36ba0805d314ed148d93e8bb007a
-
Filesize
80KB
MD52a49c87b068857d8ece66848480eef0b
SHA1c3fe5d871ef0058e14534767fb2cf861a501a753
SHA25608e319bec723fc8de14b82dc58a639609de57a082cf1d7334d9535eefeb4b825
SHA5121c7d0aca6afc681073a199af8471703de1b9e679ba94597004364c42723cde1f1ebc04a5b4cd549a2ee7d4bcd82a69ed6442fc8f1c4c98745c62ffcc6e26c32b
-
Filesize
80KB
MD5b2efdd7070e9ca2edc770f508c705ffb
SHA1f7fd589f8e939506f1e30b5cceebd3bbdae7002a
SHA256e8cf27d1567cafecf427e2cca3ec6c75f21e3789248a9bacf3d2c41269456cbb
SHA5125a8eae141727f11ed598eef7e255f4819f31b6d386cc9f2b83a816b2f971d53c45606c2bd243d397f21d0d598879b61b75fb44d2748463e971fdd3671234288f