Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
Resource
win7-20241010-en
General
-
Target
27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
-
Size
134KB
-
MD5
e8652612b04bdfeff601676821e6dbb0
-
SHA1
10ff1ba8513857b41715212f2efa202e06db77c7
-
SHA256
27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730
-
SHA512
5c8ce1cc45116fbc001f3282076837af2637a1feb593a934c48ca8b796da2e36abaf47a10ed93a527ecb286474c6f20241e5eb751b9f0e31298eda1edbd43af5
-
SSDEEP
1536:QDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:GiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2152 omsecor.exe 2728 omsecor.exe 492 omsecor.exe 4952 omsecor.exe 4848 omsecor.exe 4812 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4356 set thread context of 3952 4356 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 86 PID 2152 set thread context of 2728 2152 omsecor.exe 90 PID 492 set thread context of 4952 492 omsecor.exe 115 PID 4848 set thread context of 4812 4848 omsecor.exe 119 -
Program crash 4 IoCs
pid pid_target Process procid_target 4312 2152 WerFault.exe 89 4856 4356 WerFault.exe 83 1020 492 WerFault.exe 114 1844 4848 WerFault.exe 117 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4356 wrote to memory of 3952 4356 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 86 PID 4356 wrote to memory of 3952 4356 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 86 PID 4356 wrote to memory of 3952 4356 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 86 PID 4356 wrote to memory of 3952 4356 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 86 PID 4356 wrote to memory of 3952 4356 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 86 PID 3952 wrote to memory of 2152 3952 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 89 PID 3952 wrote to memory of 2152 3952 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 89 PID 3952 wrote to memory of 2152 3952 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe 89 PID 2152 wrote to memory of 2728 2152 omsecor.exe 90 PID 2152 wrote to memory of 2728 2152 omsecor.exe 90 PID 2152 wrote to memory of 2728 2152 omsecor.exe 90 PID 2152 wrote to memory of 2728 2152 omsecor.exe 90 PID 2152 wrote to memory of 2728 2152 omsecor.exe 90 PID 2728 wrote to memory of 492 2728 omsecor.exe 114 PID 2728 wrote to memory of 492 2728 omsecor.exe 114 PID 2728 wrote to memory of 492 2728 omsecor.exe 114 PID 492 wrote to memory of 4952 492 omsecor.exe 115 PID 492 wrote to memory of 4952 492 omsecor.exe 115 PID 492 wrote to memory of 4952 492 omsecor.exe 115 PID 492 wrote to memory of 4952 492 omsecor.exe 115 PID 492 wrote to memory of 4952 492 omsecor.exe 115 PID 4952 wrote to memory of 4848 4952 omsecor.exe 117 PID 4952 wrote to memory of 4848 4952 omsecor.exe 117 PID 4952 wrote to memory of 4848 4952 omsecor.exe 117 PID 4848 wrote to memory of 4812 4848 omsecor.exe 119 PID 4848 wrote to memory of 4812 4848 omsecor.exe 119 PID 4848 wrote to memory of 4812 4848 omsecor.exe 119 PID 4848 wrote to memory of 4812 4848 omsecor.exe 119 PID 4848 wrote to memory of 4812 4848 omsecor.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exeC:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2608⤵
- Program crash
PID:1844
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 2926⤵
- Program crash
PID:1020
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 2764⤵
- Program crash
PID:4312
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 2882⤵
- Program crash
PID:4856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4356 -ip 43561⤵PID:2140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2152 -ip 21521⤵PID:4136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 492 -ip 4921⤵PID:4352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4848 -ip 48481⤵PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5f5a469f906b30de607ca24694ae3c1dd
SHA1929c446f2e726e08ba4b8a3700fe14cb4ec5479d
SHA256c9633beffc2b7a83295b5b98dcbdf48824ffe64fbc14707471e2b4025c148e3b
SHA512ab05562f2a6ba43ed2ce065338674505298643f338c47caa1bcb97870be7447e6019f2bedaf3c7e33cb7a19bfc23aed25831bddfd899d4d3aa032f06f561fb94
-
Filesize
134KB
MD5fd29e3ec0adbe41ec0dde8fcd181fbfd
SHA18e25cb8af3c2c6593da992f1c0ac5db70878700e
SHA256f520ba7918e49c64bf627b4f17073694e0657348c2f2c4f06e30d4cdea4aac7a
SHA512351ce623d44933e9f02c15c3cf7c3933200457ee56a300a02a15250cc9aa2392a55d3f974ddcde7317c3de4b87c34c7ac5f566face55bfd91c73c42304112fc3
-
Filesize
134KB
MD5b327fd67ef32a48c000590090f56b74e
SHA1b80c17390e9852a0dff1a56376eca86f25f24d7e
SHA25613311b523cc417d9d62fc81a82982dbc68f125e4ca9a85edbe1ef19123b5dc58
SHA512c5c81ca96e204bbb227895ff917410d5bc342894425f278f684ec08bab54ecb547d132de4392015b72f73088a31342bcf9c8ea20144aa646ea6f1e95dda2cd4a