Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe
Resource
win7-20240903-en
General
-
Target
dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe
-
Size
96KB
-
MD5
1dbbcbf48568594f574817811b1b8af8
-
SHA1
c1b3437ad6d2d1927fa2c47f2fcf3176b519bdb3
-
SHA256
dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864
-
SHA512
c7ebb602eb9a339a49a97ff31914d51d81e3793e982655aa750066fc213388e1cf79d1161c7f476ae9f8ed530becaba6cfb2b90233b0156c99917d2c1d937752
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:4Gs8cd8eXlYairZYqMddH13B
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4524 omsecor.exe 3080 omsecor.exe 60 omsecor.exe 4776 omsecor.exe 2568 omsecor.exe 1524 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1764 set thread context of 3636 1764 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 82 PID 4524 set thread context of 3080 4524 omsecor.exe 87 PID 60 set thread context of 4776 60 omsecor.exe 100 PID 2568 set thread context of 1524 2568 omsecor.exe 104 -
Program crash 4 IoCs
pid pid_target Process procid_target 4232 1764 WerFault.exe 81 4860 4524 WerFault.exe 84 3460 60 WerFault.exe 99 3388 2568 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1764 wrote to memory of 3636 1764 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 82 PID 1764 wrote to memory of 3636 1764 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 82 PID 1764 wrote to memory of 3636 1764 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 82 PID 1764 wrote to memory of 3636 1764 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 82 PID 1764 wrote to memory of 3636 1764 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 82 PID 3636 wrote to memory of 4524 3636 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 84 PID 3636 wrote to memory of 4524 3636 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 84 PID 3636 wrote to memory of 4524 3636 dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe 84 PID 4524 wrote to memory of 3080 4524 omsecor.exe 87 PID 4524 wrote to memory of 3080 4524 omsecor.exe 87 PID 4524 wrote to memory of 3080 4524 omsecor.exe 87 PID 4524 wrote to memory of 3080 4524 omsecor.exe 87 PID 4524 wrote to memory of 3080 4524 omsecor.exe 87 PID 3080 wrote to memory of 60 3080 omsecor.exe 99 PID 3080 wrote to memory of 60 3080 omsecor.exe 99 PID 3080 wrote to memory of 60 3080 omsecor.exe 99 PID 60 wrote to memory of 4776 60 omsecor.exe 100 PID 60 wrote to memory of 4776 60 omsecor.exe 100 PID 60 wrote to memory of 4776 60 omsecor.exe 100 PID 60 wrote to memory of 4776 60 omsecor.exe 100 PID 60 wrote to memory of 4776 60 omsecor.exe 100 PID 4776 wrote to memory of 2568 4776 omsecor.exe 102 PID 4776 wrote to memory of 2568 4776 omsecor.exe 102 PID 4776 wrote to memory of 2568 4776 omsecor.exe 102 PID 2568 wrote to memory of 1524 2568 omsecor.exe 104 PID 2568 wrote to memory of 1524 2568 omsecor.exe 104 PID 2568 wrote to memory of 1524 2568 omsecor.exe 104 PID 2568 wrote to memory of 1524 2568 omsecor.exe 104 PID 2568 wrote to memory of 1524 2568 omsecor.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe"C:\Users\Admin\AppData\Local\Temp\dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exeC:\Users\Admin\AppData\Local\Temp\dd5d756f778abb42918981d67f7033d98344fabc27c95ee9573a414efe589864.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 2688⤵
- Program crash
PID:3388
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 2926⤵
- Program crash
PID:3460
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 2924⤵
- Program crash
PID:4860
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 2882⤵
- Program crash
PID:4232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1764 -ip 17641⤵PID:2896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4524 -ip 45241⤵PID:4724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 60 -ip 601⤵PID:1392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2568 -ip 25681⤵PID:712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5fed297e6c694c966d3f4a9f47f88be9a
SHA121f35a5ee91abbf54429579e7020a4083d20c44b
SHA25649f06288a27f33ad399438aa132fa1c08dfca7828c7cdc472167d7ab476f091e
SHA5120f5462b1d91a9417bc5993230ee8339b00b1d2b98ab32805e05532ddb2692b6086a9728dd291605b88f6cd1fa0b77adc1af7e8392e5c7e699d19521363e7d889
-
Filesize
96KB
MD5d9c6517ffec25cf28b59c413413314a3
SHA1e6100d839acd8da8878663580c16dbb285ffb164
SHA25617d5d3237400b16975f93d151ea8ab7099b5f0c03b76f2b2325c60059c46bc78
SHA51216314ade5650b9c7c11176709ed07022878ed58cf80518c60e25a30ab4f35b27b257a63085939a8765380a29470b4b3aaf42522eebc6af677d9f82c5862a3b1b
-
Filesize
96KB
MD5582943a74922f69a9ece19a83e153cab
SHA1fb1657278408d66a8d360892fa6d2bb206c91274
SHA2563888020c7b88775917f189f14ddae8fa0d1a5a5b092c752f3ede56d980e3539b
SHA5120541386822eb09b3717c96c868fa9ca81f142cfde4b97d4273ebce6d9850583c95f5c750656e8744d66eb3005b8b8cfd9137ed2f996cf1632ed67b67a671afb4