Overview

overview

10

Static

static

10

87f6434967...bd.exe

windows7-x64

10

87f6434967...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 16:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe

  • Size

    65KB

  • MD5

    f4d23a12b91eabc6b0ab6d74b3165840

  • SHA1

    e3e5761bb1d5155fc4f8d83ee53877bcbf8aeeca

  • SHA256

    87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd

  • SHA512

    62cc1168ad0c21ca1dbd636b453577d147e2b4d15c17f6e26b516f9f8bb7417b843235aebd4c50f4b8a8986d06b84cc4b810ed240faac4ba643728f489b93886

  • SSDEEP

    1536:Od9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:WdseIO+EZEyFjEOFqTiQmRHzl

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe
    "C:\Users\Admin\AppData\Local\Temp\87f64349675dafd0dfacb0fe9e3eb241dfc22164d6ad0df2a37835bc2b0931bd.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4992

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/29/455.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /29/455.html HTTP/1.1
    From: 133801351104289304
    Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A27=1e:77:0998e=07ieheb6gdfe5:54e
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 31 Dec 2024 16:12:53 GMT
    content-length: 114
  • flag-us
    DNS
    145.243.33.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.243.33.3.in-addr.arpa
    IN PTR
    Response
    145.243.33.3.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/632/84.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /632/84.html HTTP/1.1
    From: 133801351104289304
    Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6541aoe|A27=1e:77:0998e=07ieheb6gdfe5:54e
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 31 Dec 2024 16:13:04 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=b92ba68bd0311ab5dc3a0647d53affec|181.215.176.83|1735661584|1735661584|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    229.198.34.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.198.34.52.in-addr.arpa
    IN PTR
    Response
    229.198.34.52.in-addr.arpa
    IN PTR
    ec2-52-34-198-229 us-west-2compute amazonawscom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/29/455.html
    http
    omsecor.exe
    466 B
     388 B
     6
    4

    HTTP Request

    GET http://mkkuei4kdsz.com/29/455.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/632/84.html
    http
    omsecor.exe
    466 B
     623 B
     6
    5

    HTTP Request

    GET http://ow5dirasuek.com/632/84.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    156 B
     3
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
     72 B
     1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
     93 B
     1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    145.243.33.3.in-addr.arpa
    dns
    71 B
     127 B
     1
    1

    DNS Request

    145.243.33.3.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
     77 B
     1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

  • 8.8.8.8:53
    229.198.34.52.in-addr.arpa
    dns
    72 B
     135 B
     1
    1

    DNS Request

    229.198.34.52.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    65KB

    MD5

    6f0742dda9615f89331da8e2fab0f796

    SHA1

    80ba2d59dac3684101f0abac1481bb8c652593f1

    SHA256

    261cf7133a4f55df9cc3fc72cc58991bbd69789f9098e1064a058321b2e24ff3

    SHA512

    64e945e6acd96b291abd5fe3b9342b0474af9afae82b188bd23ebc6d1735c5b8a60654b43d8de3f0670ba286f894c86b1c1e837195b5b9e94cee61e3cbf0be3a

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    65KB

    MD5

    c1e55c21e3442b96f2dd26b57ac531c1

    SHA1

    1cc845020f68a893fe751f851383196dccff8bd3

    SHA256

    4a2cdec670d2f2f6632fa76b0f9a27ab0b39ac9ffd55decc5d9d56b186ba9285

    SHA512

    857bc70f51ad08e289728f0c23eeb5661867cba14a52716dff231668061edf5af37565923d9419b29d12ffbb2b1d8200bb1a39c131594ed126b16354f5a0ec1c

    Download Submit

  • memory/3164-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3164-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4668-5-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4668-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4668-13-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4992-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4992-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.