Analysis
-
max time kernel
115s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:29
Behavioral task
behavioral1
Sample
6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe
Resource
win7-20240903-en
General
-
Target
6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe
-
Size
88KB
-
MD5
9696aabe3d06fde042bc8e1ed8b17cc0
-
SHA1
14bcc2cc8eb9c2bc2137472c7531597213c0b4f0
-
SHA256
6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191e
-
SHA512
f530d3a57fa2795bbf7fc2f57ef6462df426f22e71f4f448f45992a9b0de2543925596d03ff4c5400d9d4f3bce307e47011fec8556c3bc2d91a9643c2513e478
-
SSDEEP
768:0MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:0bIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 5016 omsecor.exe 3188 omsecor.exe 3852 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1480 wrote to memory of 5016 1480 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 83 PID 1480 wrote to memory of 5016 1480 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 83 PID 1480 wrote to memory of 5016 1480 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe 83 PID 5016 wrote to memory of 3188 5016 omsecor.exe 101 PID 5016 wrote to memory of 3188 5016 omsecor.exe 101 PID 5016 wrote to memory of 3188 5016 omsecor.exe 101 PID 3188 wrote to memory of 3852 3188 omsecor.exe 102 PID 3188 wrote to memory of 3852 3188 omsecor.exe 102 PID 3188 wrote to memory of 3852 3188 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3852
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5bb8775c5de7533b0643f51759a4fdc3f
SHA1ec9bc76c3ddea21aa4b360233c4319eed87c787e
SHA25642b16fe6fd50031dfb46cd6e85e30c36dafa0ca1a6706642e9f96facaddfbbf4
SHA5125239a539869dc2319c80932b3e157fd2b082f94297fe83e0acb772e925bdf5beeb0fed95ea00bf2a2e60b0f3ecc06f894a998f926a396ce5a3baf31b36802e3a
-
Filesize
88KB
MD5742f951e0d4649cfc7eeeaa0714c45db
SHA1705766e428dd9857cca007341208fcbe4de97406
SHA25636e8e9c06ec343c394c74b02424bed471f506d9890c61f00b0bd914f6f36369c
SHA512af75ac7c4fdf36d8fc5b7fe74985e60274d34210e936a72ae5ff70b9be8beb6bc1eb1fecda0f54a8b5bfb99e7989f16e4035ade220245d2e7b554d8972dd9302
-
Filesize
88KB
MD574b04dd7cd457509b84aab0bcc1fb37f
SHA1f045ff0b91a6a5f58c2831d2643d22a6328e4a5a
SHA256b867266c03a7cf0ace295dc90136467601f42a6aea42fe6b9dd7d5c92e1e1b5b
SHA5126b499607fd2453a2ebf315e6fdb9f2711277c4a1b80eda9135173604620d6427cd47658e0d5a76f9c34263f99b1b6f18d468b3f50dd2300e16bb2380b9b65e08