Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 05:15
Behavioral task
behavioral1
Sample
979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13.exe
Resource
win7-20241010-en
General
-
Target
979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13.exe
-
Size
62KB
-
MD5
9ad6250a85082edeec3963bf3880ac2f
-
SHA1
944b1d62a57318d6b7d5acb20843984813b061cd
-
SHA256
979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13
-
SHA512
2e6f749acada8c660dfc3af2376cc84766269cb32d671d54594b2c8e30deae14f89ffb4076a4b4360b9195a98138a6e2e0e444300ee98e1e349919c0e097539d
-
SSDEEP
768:NMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA1:NbIvYvZEyFKF6N4yS+AQmZtl/59
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2872 omsecor.exe 2040 omsecor.exe 1652 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2872 1648 979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13.exe 84 PID 1648 wrote to memory of 2872 1648 979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13.exe 84 PID 1648 wrote to memory of 2872 1648 979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13.exe 84 PID 2872 wrote to memory of 2040 2872 omsecor.exe 101 PID 2872 wrote to memory of 2040 2872 omsecor.exe 101 PID 2872 wrote to memory of 2040 2872 omsecor.exe 101 PID 2040 wrote to memory of 1652 2040 omsecor.exe 102 PID 2040 wrote to memory of 1652 2040 omsecor.exe 102 PID 2040 wrote to memory of 1652 2040 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13.exe"C:\Users\Admin\AppData\Local\Temp\979004c4485f5fa39b8fd97543b66034f2ca924736feaf832456543430fb8c13.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD593d0f6ec9c39455f0c243ad8d286f317
SHA1feae275e1ef003077f8ae7ad81453193fb72ad96
SHA2563f74af82b69f7916c5d75a3ffa651ebd6b2b8df37166cafa232d2757dc9f2d85
SHA512ffa1ef3185d9175294878db75fcb8c25a176bee0560ec88d1bdc30923ee2be654e4b7082745e024fdf16169dd50b243379ece0686fc08ff9219e6259d1c836ca
-
Filesize
62KB
MD5fb56fc034b5bd064eec376de179f768d
SHA1e50b09242b2fee7ce2b9ea5770c5af0f47d94b0e
SHA256f0cda539013b404dad78946f82eb6d11dcbb74508bd61ca7800c61c614b4ecf5
SHA51272af281670175471cf29a08744bb7da0c81b29d82b9eee6d27a4a8d69787b10cac9c404d76a095c5b361763d4d2ad3241438cdfc8d0708fef32afb9030712bd3
-
Filesize
62KB
MD57f57cad4cf00c6f48b549cca745964e9
SHA14cda0629dc94415b5822668609a5f5d77323f9ff
SHA2568da07dbdece138e67aba4c2dec406e27d6c595dba1896ec7733c8e6ddac94dda
SHA512f8ec486e42a4f7a8637d252e01ef1c7ac6a119b7454b2b12cff267089be5b2b5b2c5655f9c0ac456ca80be8d78fd4be99f681c9b7e348744fab72b56a37f1388