Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-01-2025 03:10
Behavioral task
behavioral1
Sample
f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe
Resource
win7-20240903-en
General
-
Target
f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe
-
Size
90KB
-
MD5
3a8139c50c5539a1bcb271ed8c9b0440
-
SHA1
a18b0272247e471041f16984b460a0c5a0b32f92
-
SHA256
f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0
-
SHA512
ae3c80ac400fa1d16a7f57fa09bfb7708404dbf2666705c5ce0ee19e5b5c286d3c8f18a846895a0a0961ce5c714dda32aca6cf646e64a8a279b1a00ea09e3bc7
-
SSDEEP
768:tMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA:tbIvYvZEyFKF6N4aS5AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4464 omsecor.exe 4316 omsecor.exe 740 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2372 wrote to memory of 4464 2372 f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe 83 PID 2372 wrote to memory of 4464 2372 f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe 83 PID 2372 wrote to memory of 4464 2372 f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe 83 PID 4464 wrote to memory of 4316 4464 omsecor.exe 101 PID 4464 wrote to memory of 4316 4464 omsecor.exe 101 PID 4464 wrote to memory of 4316 4464 omsecor.exe 101 PID 4316 wrote to memory of 740 4316 omsecor.exe 102 PID 4316 wrote to memory of 740 4316 omsecor.exe 102 PID 4316 wrote to memory of 740 4316 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe"C:\Users\Admin\AppData\Local\Temp\f4e89ec29670c1c02e42923d5f2f700825d28dff048ad69e0848d00d0d72d2b0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:740
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5d04309ff68bf6d44633b1c08e6b6e628
SHA105e626284eb7de9264a74913f572414611270c9b
SHA256589a18866007507ffc52ea59868ba0cc047257db0359429a87623e6eaba57761
SHA512e8b74389565e740a4e46a8781855182bea699f83fd84556fd24ec7806dfffafd98ba1f369135f5c6ebdb81fb5694f4f359990050ce4abaafd8b796fc7a4b52ce
-
Filesize
90KB
MD56622eed5814f990b7bc50b0b79eeb8bd
SHA1e634cdaec247f04cbb52f618e7c858d1fe895eae
SHA2569f29ad8b8ad26974e6ca970a934b8f45f1501faf804f06f5868d4d7e2da932ef
SHA512c2a2b7f49080d069073afebab14ba61d625d0663b68e35faa0ccd475086fa14e68ab53e1d9e881d1c49afd8d68eeaf7632e05fb1ac5269f64a6b8699579077db
-
Filesize
90KB
MD5ee9d415965eaf98ed7ff719382e96788
SHA132f16c2ad1908ad56fef599df8634fe69086f718
SHA2565119da025b7121c58e83401abcc23c4d92473af8d4268cc927811fcdf7e96c51
SHA5120a219ae3261ba40124ea0e20ad92736ea07f3f71c31dd87a1d2f2cbc0345b73e8e40ffd7192a0c2f2acdc4cd342bd7d78919a847d40f8999f0cf24831e1b9c74