Analysis
-
max time kernel
140s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-01-2025 08:38
Static task
static1
Behavioral task
behavioral1
Sample
e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe
Resource
win7-20241010-en
General
-
Target
e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe
-
Size
134KB
-
MD5
7f22c9c284b4cb5cca87ad679107e010
-
SHA1
246f2beb44f05b708b3c102bad5bd2f95b319b43
-
SHA256
e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead
-
SHA512
6174a15c772b7868be6ace49cb4a0180a68cfb3968dd241aaa3f0920dabd452f9e5a771cfc9462205e1fbf6af4bc368d2d80e1357814190d3ebabed05d22a3e3
-
SSDEEP
1536:GDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:4iRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2572 omsecor.exe 2860 omsecor.exe 668 omsecor.exe 1456 omsecor.exe 2128 omsecor.exe 2476 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2700 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 2700 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 2572 omsecor.exe 2860 omsecor.exe 2860 omsecor.exe 1456 omsecor.exe 1456 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2324 set thread context of 2700 2324 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 30 PID 2572 set thread context of 2860 2572 omsecor.exe 32 PID 668 set thread context of 1456 668 omsecor.exe 36 PID 2128 set thread context of 2476 2128 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2700 2324 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 30 PID 2324 wrote to memory of 2700 2324 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 30 PID 2324 wrote to memory of 2700 2324 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 30 PID 2324 wrote to memory of 2700 2324 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 30 PID 2324 wrote to memory of 2700 2324 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 30 PID 2324 wrote to memory of 2700 2324 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 30 PID 2700 wrote to memory of 2572 2700 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 31 PID 2700 wrote to memory of 2572 2700 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 31 PID 2700 wrote to memory of 2572 2700 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 31 PID 2700 wrote to memory of 2572 2700 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe 31 PID 2572 wrote to memory of 2860 2572 omsecor.exe 32 PID 2572 wrote to memory of 2860 2572 omsecor.exe 32 PID 2572 wrote to memory of 2860 2572 omsecor.exe 32 PID 2572 wrote to memory of 2860 2572 omsecor.exe 32 PID 2572 wrote to memory of 2860 2572 omsecor.exe 32 PID 2572 wrote to memory of 2860 2572 omsecor.exe 32 PID 2860 wrote to memory of 668 2860 omsecor.exe 35 PID 2860 wrote to memory of 668 2860 omsecor.exe 35 PID 2860 wrote to memory of 668 2860 omsecor.exe 35 PID 2860 wrote to memory of 668 2860 omsecor.exe 35 PID 668 wrote to memory of 1456 668 omsecor.exe 36 PID 668 wrote to memory of 1456 668 omsecor.exe 36 PID 668 wrote to memory of 1456 668 omsecor.exe 36 PID 668 wrote to memory of 1456 668 omsecor.exe 36 PID 668 wrote to memory of 1456 668 omsecor.exe 36 PID 668 wrote to memory of 1456 668 omsecor.exe 36 PID 1456 wrote to memory of 2128 1456 omsecor.exe 37 PID 1456 wrote to memory of 2128 1456 omsecor.exe 37 PID 1456 wrote to memory of 2128 1456 omsecor.exe 37 PID 1456 wrote to memory of 2128 1456 omsecor.exe 37 PID 2128 wrote to memory of 2476 2128 omsecor.exe 38 PID 2128 wrote to memory of 2476 2128 omsecor.exe 38 PID 2128 wrote to memory of 2476 2128 omsecor.exe 38 PID 2128 wrote to memory of 2476 2128 omsecor.exe 38 PID 2128 wrote to memory of 2476 2128 omsecor.exe 38 PID 2128 wrote to memory of 2476 2128 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe"C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exeC:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD518668d61121192e11537698f2eb97846
SHA1d01fe865e9d8fe97739a63286ddd4616fad422b0
SHA2568963b2320e25b958b27a0887bd29fe287339eb4e3423d842705b883fcb70a2bc
SHA51256c6f7938e0aa2200009ed08b0377e4d08a157a2af045c29512222cd45b663ffc5392c03b2b0561d9bbf96a9a88f8dab87837f8b5dfd8afdd494450b9f785861
-
Filesize
134KB
MD5209c0030fdbb759bb8791d2b3c3059f0
SHA11358aff9fbce2a190d8b11ee5aff8cb9a8dd7103
SHA256c417c37e012880deb7aeb3aba6ad67e6af969e6161268f9d3a55dedda729193d
SHA5123a6dcf575a3d059e2639aff0911046d5ecbe5b405ed3f41e3866db6fabe203035711b9e62ab872d3ba96b5b65a97b89bcf36b612bb90177aea63a7fa41a0a863
-
Filesize
134KB
MD5cfaa63092fbc6c4e129c1e97908899a6
SHA16c890ff1c1d6bbcb77a5b9beb420969faa577b80
SHA25623d0ac00eddd2ef9526769add7df133940d8d41848f98e996bbc12033f7120a4
SHA512003bb3fd172414dd7f1aa2b48e0fce69fa43be9c6f3a7dc57db7e9d49fca4d7c94222e3b9e6600cbb84f107766fe54b57e340c983599020ea15d032acf47d4a9