Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-01-2025 05:36
Static task
static1
Behavioral task
behavioral1
Sample
e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe
Resource
win7-20240903-en
General
-
Target
e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe
-
Size
134KB
-
MD5
7f22c9c284b4cb5cca87ad679107e010
-
SHA1
246f2beb44f05b708b3c102bad5bd2f95b319b43
-
SHA256
e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359ead
-
SHA512
6174a15c772b7868be6ace49cb4a0180a68cfb3968dd241aaa3f0920dabd452f9e5a771cfc9462205e1fbf6af4bc368d2d80e1357814190d3ebabed05d22a3e3
-
SSDEEP
1536:GDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:4iRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2052 omsecor.exe 1056 omsecor.exe 4560 omsecor.exe 2844 omsecor.exe 2672 omsecor.exe 2664 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1196 set thread context of 4500 1196 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 83 PID 2052 set thread context of 1056 2052 omsecor.exe 87 PID 4560 set thread context of 2844 4560 omsecor.exe 108 PID 2672 set thread context of 2664 2672 omsecor.exe 112 -
Program crash 4 IoCs
pid pid_target Process procid_target 4752 1196 WerFault.exe 82 4024 2052 WerFault.exe 85 4508 4560 WerFault.exe 107 4356 2672 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1196 wrote to memory of 4500 1196 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 83 PID 1196 wrote to memory of 4500 1196 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 83 PID 1196 wrote to memory of 4500 1196 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 83 PID 1196 wrote to memory of 4500 1196 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 83 PID 1196 wrote to memory of 4500 1196 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 83 PID 4500 wrote to memory of 2052 4500 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 85 PID 4500 wrote to memory of 2052 4500 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 85 PID 4500 wrote to memory of 2052 4500 e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe 85 PID 2052 wrote to memory of 1056 2052 omsecor.exe 87 PID 2052 wrote to memory of 1056 2052 omsecor.exe 87 PID 2052 wrote to memory of 1056 2052 omsecor.exe 87 PID 2052 wrote to memory of 1056 2052 omsecor.exe 87 PID 2052 wrote to memory of 1056 2052 omsecor.exe 87 PID 1056 wrote to memory of 4560 1056 omsecor.exe 107 PID 1056 wrote to memory of 4560 1056 omsecor.exe 107 PID 1056 wrote to memory of 4560 1056 omsecor.exe 107 PID 4560 wrote to memory of 2844 4560 omsecor.exe 108 PID 4560 wrote to memory of 2844 4560 omsecor.exe 108 PID 4560 wrote to memory of 2844 4560 omsecor.exe 108 PID 4560 wrote to memory of 2844 4560 omsecor.exe 108 PID 4560 wrote to memory of 2844 4560 omsecor.exe 108 PID 2844 wrote to memory of 2672 2844 omsecor.exe 110 PID 2844 wrote to memory of 2672 2844 omsecor.exe 110 PID 2844 wrote to memory of 2672 2844 omsecor.exe 110 PID 2672 wrote to memory of 2664 2672 omsecor.exe 112 PID 2672 wrote to memory of 2664 2672 omsecor.exe 112 PID 2672 wrote to memory of 2664 2672 omsecor.exe 112 PID 2672 wrote to memory of 2664 2672 omsecor.exe 112 PID 2672 wrote to memory of 2664 2672 omsecor.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe"C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exeC:\Users\Admin\AppData\Local\Temp\e3ed237dcfe4eec0c76c8cb244887064226ab99cf7ee2c7fa7b5899c69359eadN.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 2568⤵
- Program crash
PID:4356
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 2926⤵
- Program crash
PID:4508
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 2884⤵
- Program crash
PID:4024
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 2722⤵
- Program crash
PID:4752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1196 -ip 11961⤵PID:2224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2052 -ip 20521⤵PID:2948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4560 -ip 45601⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2672 -ip 26721⤵PID:4952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD569d95e7df07ac225e925a8538e402762
SHA10be052b0592e246ba05838ff17336976186e81d7
SHA2569e990c975bad9d19f7a21633aacf788d3b473cd7bf74118b8f906696d12fdd93
SHA512613b18254b119883ef38acc6cd4f5bbd9c42c65500d69707cf34d79533d5c0f1f98ffbf6f818d788e1162f9e193c760cd0ec66172990d69ffd1f1534a12cbcf4
-
Filesize
134KB
MD518668d61121192e11537698f2eb97846
SHA1d01fe865e9d8fe97739a63286ddd4616fad422b0
SHA2568963b2320e25b958b27a0887bd29fe287339eb4e3423d842705b883fcb70a2bc
SHA51256c6f7938e0aa2200009ed08b0377e4d08a157a2af045c29512222cd45b663ffc5392c03b2b0561d9bbf96a9a88f8dab87837f8b5dfd8afdd494450b9f785861
-
Filesize
134KB
MD5ec55922068e6e08b9a6232bdea491bc4
SHA10df09b1ace1be1246af07db120ec2ecffa503959
SHA256453a7ac5ffc432975f25ad1d22cbb326f8f8d1e8529425ceb0082d1420bb950e
SHA5123977e2ee67cadd27631869f3fcfb8dc5c20c1ae945870569bdbd8a257b5441c39e689bbe4cf4d1316b2c0aad137b764f3ef6ab55bc62d483bff25c6c576daa20