Analysis
-
max time kernel
115s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 10:13
Behavioral task
behavioral1
Sample
65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe
Resource
win7-20241010-en
General
-
Target
65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe
-
Size
80KB
-
MD5
bc8b681de09a7deaf026fc2beb9781c0
-
SHA1
c59da05a118d7a0fc5c7c707a0cfcee4aef9facd
-
SHA256
65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660
-
SHA512
ff3d8a195bec3f240d3ef78369017e9fc51db4ef6a57f41b53dfbfc08b3304583e5ee86df86d2da2f90c1255c41aaf055ec5dcce22f1fe669cc97846999671b8
-
SSDEEP
1536:6d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzz:adseIOMEZEyFjEOFqTiQmOl/5xPvw3
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4560 omsecor.exe 3004 omsecor.exe 4924 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2488 wrote to memory of 4560 2488 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 84 PID 2488 wrote to memory of 4560 2488 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 84 PID 2488 wrote to memory of 4560 2488 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe 84 PID 4560 wrote to memory of 3004 4560 omsecor.exe 100 PID 4560 wrote to memory of 3004 4560 omsecor.exe 100 PID 4560 wrote to memory of 3004 4560 omsecor.exe 100 PID 3004 wrote to memory of 4924 3004 omsecor.exe 101 PID 3004 wrote to memory of 4924 3004 omsecor.exe 101 PID 3004 wrote to memory of 4924 3004 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4924
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5624fe7b65e496655894d615bc1ce69c3
SHA1a544911f430103ed1ae0178e7791118570bbfcf9
SHA2566d93dc9796783c05a712d76ea7b430c449a496236aaa745377a5d5eb26817272
SHA5124add86cd85edcdd29301bbca27eaf0ce272a4838c7a9d2d265b9d1acc220bca8de376ff15a2b28651e37d3823c21be6462d776e04ea5e1593b6f0cf8cbad18f4
-
Filesize
80KB
MD5b2efdd7070e9ca2edc770f508c705ffb
SHA1f7fd589f8e939506f1e30b5cceebd3bbdae7002a
SHA256e8cf27d1567cafecf427e2cca3ec6c75f21e3789248a9bacf3d2c41269456cbb
SHA5125a8eae141727f11ed598eef7e255f4819f31b6d386cc9f2b83a816b2f971d53c45606c2bd243d397f21d0d598879b61b75fb44d2748463e971fdd3671234288f
-
Filesize
80KB
MD5fcd46e504f6189094450df42a943abeb
SHA193527071cae2e012ce18a2ce9ac3475d5e71c07a
SHA256f4a798a011662ec70ec3c67df78b215f6ed3343826e07d57e1f812f16c6e3bcd
SHA5127932a601cba8f6922c3440ff032a4221a0f85fdb8624854c395797cb9043ccb0aa9b0051185df4df19835cc67e36f3e7b42410e8e01d8c89b7734c89d3f0ce4d