Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 21:23
Behavioral task
behavioral1
Sample
c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe
Resource
win7-20240708-en
General
-
Target
c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe
-
Size
90KB
-
MD5
15c958471557cebf44080a68531977c0
-
SHA1
5595f1f3f31fc2642fcc1d4c86be1966084b3939
-
SHA256
c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922
-
SHA512
8462645de46da2bb5d91d0c2b1777f5fd628ea2bb4fe84c754fe6cdcdfcac67866038be9516207558ecd5369347b840e2f724fb60b99c590c9110a07ca1ad55a
-
SSDEEP
768:+MEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:+bIvYvZEyFKF6N4aS5AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2380 omsecor.exe 2772 omsecor.exe 2888 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2368 c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe 2368 c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe 2380 omsecor.exe 2380 omsecor.exe 2772 omsecor.exe 2772 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2380 2368 c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe 30 PID 2368 wrote to memory of 2380 2368 c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe 30 PID 2368 wrote to memory of 2380 2368 c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe 30 PID 2368 wrote to memory of 2380 2368 c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe 30 PID 2380 wrote to memory of 2772 2380 omsecor.exe 33 PID 2380 wrote to memory of 2772 2380 omsecor.exe 33 PID 2380 wrote to memory of 2772 2380 omsecor.exe 33 PID 2380 wrote to memory of 2772 2380 omsecor.exe 33 PID 2772 wrote to memory of 2888 2772 omsecor.exe 34 PID 2772 wrote to memory of 2888 2772 omsecor.exe 34 PID 2772 wrote to memory of 2888 2772 omsecor.exe 34 PID 2772 wrote to memory of 2888 2772 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe"C:\Users\Admin\AppData\Local\Temp\c979ab1567810bcdbff7ed00bc21ea826933b19b7ac4b95e558f7454f3082922N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD530c5aaa604b8171cb246bb7f48e64513
SHA106e1bd6399b6b282bf26ac752490d8264e651431
SHA256a436bea9bd9b978b1bad072d9d50088d5289bc1257a9fe7785a8e5c7954d3f53
SHA512087a80e037702bc51dfb35884a98aef37ad4c0b82d92987688e3feafc947d5e3dd9bf8a9825b25295f90a0a46867aaa4b50389ad05d18f3b9e34a6ef3a8dab4f
-
Filesize
90KB
MD5462fbbbcea4785c261deba8eea09f195
SHA188f78d8479a99ba8f67e0c2bfae9cbb817fbcf01
SHA2562ddfd4804d31666c21c5ba9f144f093921015baa3fbbd591e5f701ebe5b818e0
SHA51273fb9f6a902a55fc141b48a06d5ecc0c52dbce3f0a21a67bfceec805f8292cc05f025d461d3dd704a3c697498c0abbe4d5ab9fde5395ddf6c8427c170ab8beff
-
Filesize
90KB
MD525fc959e2a5dce28e1f96549eb604993
SHA10e44a07ce6a9131241e2dc39be796ab9810a7307
SHA256917b0a147fb04726530173370b320e270179c45df737c59df846e7b247ce4b8d
SHA51219963ee1eec9093f5d2661eef9481aee05a88481dad1c31f2e99e5af7fe56bb20ae286d11ab2c9b0a9e0ea76d4f0d49ddbd501c1da37737ea8c0b0203823d69d