Overview

overview

10

Static

static

3

3b70d7a6ec...b3.exe

windows7-x64

10

3b70d7a6ec...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2025, 11:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe

  • Size

    33KB

  • MD5

    e5b42dd7efabacf213b0424c30e7ae8e

  • SHA1

    f77548bd265bf7e742a37ddfa47b154a845a3567

  • SHA256

    3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3

  • SHA512

    ee79cf176c41424e0487571eb9d59c57a8e2544f1b9acbb6e15feccaf0eac441d6ff3a8825d5ad2d57e2b106ab65e78007fc65d9cb95136b1c6904da9822adb2

  • SSDEEP

    768:0fVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7DF:0fVRztyHo8QNHTk0qE5fslvN/956qo

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe
    "C:\Users\Admin\AppData\Local\Temp\3b70d7a6eca937fbf9c3253e2e55733008ae25f19e054afcc7e5bdf2a170b7b3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3888

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    184.115.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    184.115.23.2.in-addr.arpa
    IN PTR
    Response
    184.115.23.2.in-addr.arpa
    IN PTR
    a2-23-115-184deploystaticakamaitechnologiescom
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    15.197.204.56
    mkkuei4kdsz.com
    IN A
    3.33.243.145
  • flag-us
    GET
    http://mkkuei4kdsz.com/1/948.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /1/948.html HTTP/1.1
    From: 133811535433287164
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<^/8/55\/7\40`ae-c8ac8/4`^d03.6a`
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Sun, 12 Jan 2025 11:06:46 GMT
    content-length: 114
  • flag-us
    DNS
    56.204.197.15.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.204.197.15.in-addr.arpa
    IN PTR
    Response
    56.204.197.15.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/757/464.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /757/464.html HTTP/1.1
    From: 133811535433287164
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<^/8/55\/7\40`ae-c8ac8/4`^d03.6a`
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 12 Jan 2025 11:06:57 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=04736116fbff590b0bfe3b511905b3ee|181.215.176.83|1736680017|1736680017|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    229.198.34.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.198.34.52.in-addr.arpa
    IN PTR
    Response
    229.198.34.52.in-addr.arpa
    IN PTR
    ec2-52-34-198-229 us-west-2compute amazonawscom
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/1/948.html
    http
    omsecor.exe
    465 B
     388 B
     6
    4

    HTTP Request

    GET http://mkkuei4kdsz.com/1/948.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/757/464.html
    http
    omsecor.exe
    467 B
     623 B
     6
    5

    HTTP Request

    GET http://ow5dirasuek.com/757/464.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    156 B
     3
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
     72 B
     1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    184.115.23.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    184.115.23.2.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
     93 B
     1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    15.197.204.56
    3.33.243.145

  • 8.8.8.8:53
    56.204.197.15.in-addr.arpa
    dns
    72 B
     128 B
     1
    1

    DNS Request

    56.204.197.15.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
     77 B
     1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

  • 8.8.8.8:53
    229.198.34.52.in-addr.arpa
    dns
    72 B
     135 B
     1
    1

    DNS Request

    229.198.34.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    33KB

    MD5

    5b24490bc25bcfff2220736c40d324c6

    SHA1

    141df748d6e2ebb93f7a60569f5391407fc1d02a

    SHA256

    728793d530a87c1379b45bbaee3ebb612ae1eec96f85f24c2b8adc9c299dde24

    SHA512

    c1d8f8805d87db895aeab0e11545c10e10f746b492785aedb25bbd35a92d7e21ba5ad6c3f01bfa5f46d88a69a1a8a665a05e45b4ba45992f462f0a51584908ca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    33KB

    MD5

    15e7f5fa401f251a24efc732a3a5f481

    SHA1

    0d84648be9e233bc4ee6e405ff2edc1efcf180e3

    SHA256

    7f8aacd13057a1c005ac3be68eff21d684426061a8aa84895bd06b193be54e89

    SHA512

    0041ea52f14391245de7b76da9f4845fb6e6889942794004bcb5c1e4366edfdb005b5bfc33658415dc561bd5e1f5826a5c1493594df9b051d324d6425060263c

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    33KB

    MD5

    c6a9fbfd631de4fd9f435b6a53e43920

    SHA1

    4b1fd530806eab0ef7cc82e8d826c0ed7a476fd4

    SHA256

    8196295c545242bcaaecac03b2d3e7118d29ca0f90c89315265c915dc7b1be18

    SHA512

    43816449a9434e0b420ef55a01758b33644924d241e8def2e0703f3ed4c53bfbe13cbf9defd575bb016f865ab9cc78b504f52fff510adf80705b8f3245aaf25b

    Download Submit

  • memory/372-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/372-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2604-13-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2604-10-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2604-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2604-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2604-21-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2604-4-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3888-25-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3888-29-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4916-18-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4916-27-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.