Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
Resource
win7-20241010-en
General
-
Target
27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
-
Size
134KB
-
MD5
e8652612b04bdfeff601676821e6dbb0
-
SHA1
10ff1ba8513857b41715212f2efa202e06db77c7
-
SHA256
27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730
-
SHA512
5c8ce1cc45116fbc001f3282076837af2637a1feb593a934c48ca8b796da2e36abaf47a10ed93a527ecb286474c6f20241e5eb751b9f0e31298eda1edbd43af5
-
SSDEEP
1536:QDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:GiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2912 omsecor.exe 1848 omsecor.exe 2072 omsecor.exe 2960 omsecor.exe 1632 omsecor.exe 332 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2392 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 2392 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 1848 omsecor.exe 1848 omsecor.exe 2960 omsecor.exe 2960 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2744 set thread context of 2392 2744 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 30 PID 2912 set thread context of 1848 2912 omsecor.exe 32 PID 2072 set thread context of 2960 2072 omsecor.exe 35 PID 1632 set thread context of 332 1632 omsecor.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2392 2744 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 30 PID 2744 wrote to memory of 2392 2744 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 30 PID 2744 wrote to memory of 2392 2744 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 30 PID 2744 wrote to memory of 2392 2744 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 30 PID 2744 wrote to memory of 2392 2744 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 30 PID 2744 wrote to memory of 2392 2744 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 30 PID 2392 wrote to memory of 2912 2392 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 31 PID 2392 wrote to memory of 2912 2392 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 31 PID 2392 wrote to memory of 2912 2392 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 31 PID 2392 wrote to memory of 2912 2392 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 31 PID 2912 wrote to memory of 1848 2912 omsecor.exe 32 PID 2912 wrote to memory of 1848 2912 omsecor.exe 32 PID 2912 wrote to memory of 1848 2912 omsecor.exe 32 PID 2912 wrote to memory of 1848 2912 omsecor.exe 32 PID 2912 wrote to memory of 1848 2912 omsecor.exe 32 PID 2912 wrote to memory of 1848 2912 omsecor.exe 32 PID 1848 wrote to memory of 2072 1848 omsecor.exe 34 PID 1848 wrote to memory of 2072 1848 omsecor.exe 34 PID 1848 wrote to memory of 2072 1848 omsecor.exe 34 PID 1848 wrote to memory of 2072 1848 omsecor.exe 34 PID 2072 wrote to memory of 2960 2072 omsecor.exe 35 PID 2072 wrote to memory of 2960 2072 omsecor.exe 35 PID 2072 wrote to memory of 2960 2072 omsecor.exe 35 PID 2072 wrote to memory of 2960 2072 omsecor.exe 35 PID 2072 wrote to memory of 2960 2072 omsecor.exe 35 PID 2072 wrote to memory of 2960 2072 omsecor.exe 35 PID 2960 wrote to memory of 1632 2960 omsecor.exe 36 PID 2960 wrote to memory of 1632 2960 omsecor.exe 36 PID 2960 wrote to memory of 1632 2960 omsecor.exe 36 PID 2960 wrote to memory of 1632 2960 omsecor.exe 36 PID 1632 wrote to memory of 332 1632 omsecor.exe 37 PID 1632 wrote to memory of 332 1632 omsecor.exe 37 PID 1632 wrote to memory of 332 1632 omsecor.exe 37 PID 1632 wrote to memory of 332 1632 omsecor.exe 37 PID 1632 wrote to memory of 332 1632 omsecor.exe 37 PID 1632 wrote to memory of 332 1632 omsecor.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exeC:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:332
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5fd29e3ec0adbe41ec0dde8fcd181fbfd
SHA18e25cb8af3c2c6593da992f1c0ac5db70878700e
SHA256f520ba7918e49c64bf627b4f17073694e0657348c2f2c4f06e30d4cdea4aac7a
SHA512351ce623d44933e9f02c15c3cf7c3933200457ee56a300a02a15250cc9aa2392a55d3f974ddcde7317c3de4b87c34c7ac5f566face55bfd91c73c42304112fc3
-
Filesize
134KB
MD5783be9f53f8739747f523040fe3d4a5c
SHA18ca46ba5c49e685d13d73b77d38dc9d3cacc504f
SHA256c36cfdc109a6123703fcd7863df6a0e2b9fcdc0458961f3c3fa831b57ea525eb
SHA512002bb3abdb67772c779efe74d1c1287b9cc38b2922ff5aa214fb57a2f9d846e2daceca5c192cee84969710e20dc761757f99513aac0c7c793c16c2456a16b46b
-
Filesize
134KB
MD5592458d3ca974a55d54d915129518415
SHA146cb162d598226076478a839f5a3e65e35e87890
SHA2568a34ab8ea2f67798a0758b98d8eede86e0420864f7a60ecf114f0f9cfc2b9edb
SHA5127a4928d65a76db1768f6a380e33e7f0781aebc0c5f1918ae8e7783005cecae27623ee500f91de533d3148af3ec36513b874f7412f2feba929ff6b8db2947fc4e