Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 17:57
Static task
static1
Behavioral task
behavioral1
Sample
dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe
Resource
win7-20240903-en
General
-
Target
dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe
-
Size
96KB
-
MD5
82bbb006b062bb4abcfa4f23d8657960
-
SHA1
4fed425c1d5f832e8996c3c877ba2933a5d904c5
-
SHA256
dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469
-
SHA512
55710cbe8106aa67755e57323d8731c0dea40717a54ce66f0aee9ece962e21bae86117d0eb5d9c430c5b3ac9b39f0a7cca620f59f70beb2facc2331e1d32e1d6
-
SSDEEP
1536:SnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:SGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2404 omsecor.exe 2800 omsecor.exe 2916 omsecor.exe 768 omsecor.exe 2212 omsecor.exe 2112 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 3032 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 3032 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 2404 omsecor.exe 2800 omsecor.exe 2800 omsecor.exe 768 omsecor.exe 768 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1980 set thread context of 3032 1980 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 30 PID 2404 set thread context of 2800 2404 omsecor.exe 32 PID 2916 set thread context of 768 2916 omsecor.exe 36 PID 2212 set thread context of 2112 2212 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1980 wrote to memory of 3032 1980 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 30 PID 1980 wrote to memory of 3032 1980 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 30 PID 1980 wrote to memory of 3032 1980 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 30 PID 1980 wrote to memory of 3032 1980 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 30 PID 1980 wrote to memory of 3032 1980 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 30 PID 1980 wrote to memory of 3032 1980 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 30 PID 3032 wrote to memory of 2404 3032 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 31 PID 3032 wrote to memory of 2404 3032 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 31 PID 3032 wrote to memory of 2404 3032 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 31 PID 3032 wrote to memory of 2404 3032 dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe 31 PID 2404 wrote to memory of 2800 2404 omsecor.exe 32 PID 2404 wrote to memory of 2800 2404 omsecor.exe 32 PID 2404 wrote to memory of 2800 2404 omsecor.exe 32 PID 2404 wrote to memory of 2800 2404 omsecor.exe 32 PID 2404 wrote to memory of 2800 2404 omsecor.exe 32 PID 2404 wrote to memory of 2800 2404 omsecor.exe 32 PID 2800 wrote to memory of 2916 2800 omsecor.exe 35 PID 2800 wrote to memory of 2916 2800 omsecor.exe 35 PID 2800 wrote to memory of 2916 2800 omsecor.exe 35 PID 2800 wrote to memory of 2916 2800 omsecor.exe 35 PID 2916 wrote to memory of 768 2916 omsecor.exe 36 PID 2916 wrote to memory of 768 2916 omsecor.exe 36 PID 2916 wrote to memory of 768 2916 omsecor.exe 36 PID 2916 wrote to memory of 768 2916 omsecor.exe 36 PID 2916 wrote to memory of 768 2916 omsecor.exe 36 PID 2916 wrote to memory of 768 2916 omsecor.exe 36 PID 768 wrote to memory of 2212 768 omsecor.exe 37 PID 768 wrote to memory of 2212 768 omsecor.exe 37 PID 768 wrote to memory of 2212 768 omsecor.exe 37 PID 768 wrote to memory of 2212 768 omsecor.exe 37 PID 2212 wrote to memory of 2112 2212 omsecor.exe 38 PID 2212 wrote to memory of 2112 2212 omsecor.exe 38 PID 2212 wrote to memory of 2112 2212 omsecor.exe 38 PID 2212 wrote to memory of 2112 2212 omsecor.exe 38 PID 2212 wrote to memory of 2112 2212 omsecor.exe 38 PID 2212 wrote to memory of 2112 2212 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe"C:\Users\Admin\AppData\Local\Temp\dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exeC:\Users\Admin\AppData\Local\Temp\dbe28c1e7ed67ebaacd6e85f0189356720badc2839c932b0320ff9b6f94bb469N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD51039e1b2a4ffa2e97636737e46a14076
SHA13b0b1773ef4282ae50abfc3e7f046374ef1f9a3f
SHA256b9e3d2436f28ff7cd506a00e6a04fd78b9cab7a0792087606e736fb09afe2f4c
SHA512054894b232689f8e0ae3aeea12e4290b9014e503c74a4c8f192bff1f8a3101af42ffd2c86af6bbdee8f2b46937e83f6bfec5c714936e238eb29197629d4471b2
-
Filesize
96KB
MD53edac1da41bc9aeb4052369a2341c5fc
SHA15bc0065137eb37b6c35c919f22ae3496ddf99b85
SHA256059e5d91effe675a6e2d5b8943397217b55a6fe810b49887f567b6e80c0db780
SHA512f95bbbfaa390df819abd3a3a470c187ab4e43e3a216914d0a0907385075565994b8bf4ae5b09f84f630e397c4334fea9cf50c86ea4cfcf05433d63cf35ecea72
-
Filesize
96KB
MD5cb2471ee0ff48c4706c36aacad8f9de9
SHA1537547163407850ebc9bb818d77b0182701783ac
SHA25682b0a15488b6f4283ae83ae3d8c38abfd4a203a1b295cf37924fe556fe00cf6a
SHA5125427f551498e178b3c65ef72394e854ca1a3c1c1fe09eeb5ef732f54ecc977b539b5218eb841450c914f5347417d68aedbaa501feef50334381ba30ca2d7c7b6