Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:40
Behavioral task
behavioral1
Sample
6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe
Resource
win7-20241010-en
General
-
Target
6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe
-
Size
71KB
-
MD5
bd559dcda44a612a74f6c1e219110db0
-
SHA1
0e9a08ee761b1e580581cf534094454c0329b91c
-
SHA256
6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737
-
SHA512
f455c04cc62ec1863a59eb24a66c47b498d14ff38d08ebe8fa2ec2710dbd55f1de02de53b2c74aa1cb0e778c0ad76b80186fe8f3b0f494702c98820ab729a45a
-
SSDEEP
1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:kdseIOMEZEyFjEOFqTiQmQDHIbH
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 1120 omsecor.exe 1948 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4540 wrote to memory of 1120 4540 6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe 82 PID 4540 wrote to memory of 1120 4540 6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe 82 PID 4540 wrote to memory of 1120 4540 6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe 82 PID 1120 wrote to memory of 1948 1120 omsecor.exe 92 PID 1120 wrote to memory of 1948 1120 omsecor.exe 92 PID 1120 wrote to memory of 1948 1120 omsecor.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe"C:\Users\Admin\AppData\Local\Temp\6c2389f7e16d75ddb5c0034968282d06aadcffe0612869daf4d05335dbf01737N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD52d714ea31382fbe2bad53bfbc000e91a
SHA17cccb8b158784492ac1e9d8ddb0a9eb5f1559159
SHA256ec4e6ab21207022350897d0ae96843a1f92fd9e34a44c2b23054b7f606e16b93
SHA512659919a5657c4443f921f209b38489b057a9d975c26012dbdbfab4eda020a2878181869d1d1ff8d6ebdfa0d85b753fb2a1a5609b46fbd165bf02b502cb864114
-
Filesize
71KB
MD51b78b48f09ae5fcfebdf7027a3c8021a
SHA1dc9867e4420cb53d3da4e53e1e66b569eb25d563
SHA2566849fb7938c7d0214ab7543b609687656de383c2123dd4f48639edae4baf2033
SHA512149b843ed03fc6c4bd921404afbf8ca08f23aba85708f2e30b06dff98104566a72c6f3172cef4622627d19c63487cb8110c5dbe23f1e673e2b4a497e45c0c596