Analysis
-
max time kernel
114s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:29
Behavioral task
behavioral1
Sample
6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe
Resource
win7-20240903-en
General
-
Target
6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe
-
Size
88KB
-
MD5
9696aabe3d06fde042bc8e1ed8b17cc0
-
SHA1
14bcc2cc8eb9c2bc2137472c7531597213c0b4f0
-
SHA256
6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191e
-
SHA512
f530d3a57fa2795bbf7fc2f57ef6462df426f22e71f4f448f45992a9b0de2543925596d03ff4c5400d9d4f3bce307e47011fec8556c3bc2d91a9643c2513e478
-
SSDEEP
768:0MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:0bIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2104 omsecor.exe 2224 omsecor.exe 1484 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2408 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 2408 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 2104 omsecor.exe 2104 omsecor.exe 2224 omsecor.exe 2224 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2104 2408 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 30 PID 2408 wrote to memory of 2104 2408 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 30 PID 2408 wrote to memory of 2104 2408 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 30 PID 2408 wrote to memory of 2104 2408 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 30 PID 2104 wrote to memory of 2224 2104 omsecor.exe 33 PID 2104 wrote to memory of 2224 2104 omsecor.exe 33 PID 2104 wrote to memory of 2224 2104 omsecor.exe 33 PID 2104 wrote to memory of 2224 2104 omsecor.exe 33 PID 2224 wrote to memory of 1484 2224 omsecor.exe 34 PID 2224 wrote to memory of 1484 2224 omsecor.exe 34 PID 2224 wrote to memory of 1484 2224 omsecor.exe 34 PID 2224 wrote to memory of 1484 2224 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5bc39a6d0fc4d805af6d57329e7e9f3e1
SHA1d3af67bdf4920abc78801a6aa45716996770e010
SHA25633ad5b64575f9d8b13f79ccefacd86687150d18ef11f0b9403667f9edbdfa063
SHA512ce5451f5693e8716afb3a875083b5efd62d87f548797228bd798a085c752cbc12594d5f4ff685bb00b6d7b8a6ebcf82442046168ebc37ae15332eed0cdea1530
-
Filesize
88KB
MD5742f951e0d4649cfc7eeeaa0714c45db
SHA1705766e428dd9857cca007341208fcbe4de97406
SHA25636e8e9c06ec343c394c74b02424bed471f506d9890c61f00b0bd914f6f36369c
SHA512af75ac7c4fdf36d8fc5b7fe74985e60274d34210e936a72ae5ff70b9be8beb6bc1eb1fecda0f54a8b5bfb99e7989f16e4035ade220245d2e7b554d8972dd9302
-
Filesize
88KB
MD53bde8b0b4241659ae0409ab65892c69a
SHA1d1d7ec3aa4f106ba3388d5b1b428d676855bb154
SHA256ac9615b4ba6cccf7cb97d42053300aa53761f4d29b1723c05a559aad91f83a7d
SHA512507b6819f556a19c7184d409bddeeb0a8bcfc2c93863cbc379911bf164bb15af475c9488f46c19263d22d6caf30161b260328c1ba47729ec60be3711eadcc628