Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-01-2025 10:25
Static task
static1
Behavioral task
behavioral1
Sample
f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe
Resource
win7-20240708-en
General
-
Target
f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe
-
Size
96KB
-
MD5
3076cf51738ce95e89569894b2fc7b40
-
SHA1
7d60990e226390257d7627dc0bb21ae491a21391
-
SHA256
f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e
-
SHA512
cc311f8be8e08e1b1fbda869352201283671fedadd89b9fd7b9d3af7591d11d0273a1941793e372b948431f4a8170a687148714f2aee3e17824bfbeffc949d10
-
SSDEEP
1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:EGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2192 omsecor.exe 2132 omsecor.exe 2352 omsecor.exe 1212 omsecor.exe 1976 omsecor.exe 2296 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2408 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 2408 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 2192 omsecor.exe 2132 omsecor.exe 2132 omsecor.exe 1212 omsecor.exe 1212 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2368 set thread context of 2408 2368 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 30 PID 2192 set thread context of 2132 2192 omsecor.exe 32 PID 2352 set thread context of 1212 2352 omsecor.exe 36 PID 1976 set thread context of 2296 1976 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2408 2368 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 30 PID 2368 wrote to memory of 2408 2368 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 30 PID 2368 wrote to memory of 2408 2368 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 30 PID 2368 wrote to memory of 2408 2368 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 30 PID 2368 wrote to memory of 2408 2368 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 30 PID 2368 wrote to memory of 2408 2368 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 30 PID 2408 wrote to memory of 2192 2408 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 31 PID 2408 wrote to memory of 2192 2408 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 31 PID 2408 wrote to memory of 2192 2408 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 31 PID 2408 wrote to memory of 2192 2408 f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe 31 PID 2192 wrote to memory of 2132 2192 omsecor.exe 32 PID 2192 wrote to memory of 2132 2192 omsecor.exe 32 PID 2192 wrote to memory of 2132 2192 omsecor.exe 32 PID 2192 wrote to memory of 2132 2192 omsecor.exe 32 PID 2192 wrote to memory of 2132 2192 omsecor.exe 32 PID 2192 wrote to memory of 2132 2192 omsecor.exe 32 PID 2132 wrote to memory of 2352 2132 omsecor.exe 35 PID 2132 wrote to memory of 2352 2132 omsecor.exe 35 PID 2132 wrote to memory of 2352 2132 omsecor.exe 35 PID 2132 wrote to memory of 2352 2132 omsecor.exe 35 PID 2352 wrote to memory of 1212 2352 omsecor.exe 36 PID 2352 wrote to memory of 1212 2352 omsecor.exe 36 PID 2352 wrote to memory of 1212 2352 omsecor.exe 36 PID 2352 wrote to memory of 1212 2352 omsecor.exe 36 PID 2352 wrote to memory of 1212 2352 omsecor.exe 36 PID 2352 wrote to memory of 1212 2352 omsecor.exe 36 PID 1212 wrote to memory of 1976 1212 omsecor.exe 37 PID 1212 wrote to memory of 1976 1212 omsecor.exe 37 PID 1212 wrote to memory of 1976 1212 omsecor.exe 37 PID 1212 wrote to memory of 1976 1212 omsecor.exe 37 PID 1976 wrote to memory of 2296 1976 omsecor.exe 38 PID 1976 wrote to memory of 2296 1976 omsecor.exe 38 PID 1976 wrote to memory of 2296 1976 omsecor.exe 38 PID 1976 wrote to memory of 2296 1976 omsecor.exe 38 PID 1976 wrote to memory of 2296 1976 omsecor.exe 38 PID 1976 wrote to memory of 2296 1976 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe"C:\Users\Admin\AppData\Local\Temp\f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exeC:\Users\Admin\AppData\Local\Temp\f5e99fb8061cf5e593ecb45ce3c4cfe95e1a9e1a0f84814f41b69eaea99cc47e.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD55380557f87dbdce5df6b891ee51953ca
SHA13bf0eb859e6cf123bb090297e8b99fb23580810a
SHA256cab388cb4ff5ea21173816d2f7f694f83137c0b08ffd51dc20bc3b249173bac6
SHA512729c20863b1f4dbdadff127e4706d4785e6ac721f50afeafb91ec14ff15a94430b11e225848c06df8af06253c808178ff56b70ac268cbe28c0b90bbfdce229ea
-
Filesize
96KB
MD53db6500c9e2232de4b92cd66fa8eb326
SHA1af4112db8ff94d390188df74a2c3b2ed7a2a6642
SHA256407c925314ae3f4ea42973a2b63c7d6431b98b55372e57ff178c23202bf5f6f3
SHA512d5688885d003742486edefee17e02520ed4b16f897040a7819396fe7c8a6b501d6889385b35a3ec3aae075eb0ce7cd33ac857e4c8b06ea0ee6f58e60410c1941
-
Filesize
96KB
MD5fcc4317deaa0b5c90fc5537631fd5c93
SHA1203ca5ab635933ee123c353b414d0cc31b8324a1
SHA256d8c869f792f9be0d05bb3787b29893b56208b4cf6848d804a47fef92fdd0d7d7
SHA51269ceda3cd629bc771f444c0b0458b5033ea1255f486df3957356fcd33128eac7fdd9b9f73c6503ef35fa9ba7c58224268c97eb6f121ba89da2eccdc44bbd1abc