Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-01-2025 08:02
Static task
static1
Behavioral task
behavioral1
Sample
bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe
Resource
win7-20240903-en
General
-
Target
bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe
-
Size
96KB
-
MD5
baef7c20c5e18a5657edb38c27e150d0
-
SHA1
7128a13c102608f7521d8749eb55f39190c87262
-
SHA256
bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832
-
SHA512
62680aaf8affee978b55cdb6e3bce1081032666fd226db1b5178521681aedbb1139202a4010ff6602ca71f057a17baf133ced83491431bd6a127cd717db69f41
-
SSDEEP
1536:mnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:mGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2168 omsecor.exe 968 omsecor.exe 1384 omsecor.exe 1624 omsecor.exe 1316 omsecor.exe 2920 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2184 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 2184 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 2168 omsecor.exe 968 omsecor.exe 968 omsecor.exe 1624 omsecor.exe 1624 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2120 set thread context of 2184 2120 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 30 PID 2168 set thread context of 968 2168 omsecor.exe 32 PID 1384 set thread context of 1624 1384 omsecor.exe 36 PID 1316 set thread context of 2920 1316 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2184 2120 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 30 PID 2120 wrote to memory of 2184 2120 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 30 PID 2120 wrote to memory of 2184 2120 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 30 PID 2120 wrote to memory of 2184 2120 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 30 PID 2120 wrote to memory of 2184 2120 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 30 PID 2120 wrote to memory of 2184 2120 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 30 PID 2184 wrote to memory of 2168 2184 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 31 PID 2184 wrote to memory of 2168 2184 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 31 PID 2184 wrote to memory of 2168 2184 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 31 PID 2184 wrote to memory of 2168 2184 bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe 31 PID 2168 wrote to memory of 968 2168 omsecor.exe 32 PID 2168 wrote to memory of 968 2168 omsecor.exe 32 PID 2168 wrote to memory of 968 2168 omsecor.exe 32 PID 2168 wrote to memory of 968 2168 omsecor.exe 32 PID 2168 wrote to memory of 968 2168 omsecor.exe 32 PID 2168 wrote to memory of 968 2168 omsecor.exe 32 PID 968 wrote to memory of 1384 968 omsecor.exe 35 PID 968 wrote to memory of 1384 968 omsecor.exe 35 PID 968 wrote to memory of 1384 968 omsecor.exe 35 PID 968 wrote to memory of 1384 968 omsecor.exe 35 PID 1384 wrote to memory of 1624 1384 omsecor.exe 36 PID 1384 wrote to memory of 1624 1384 omsecor.exe 36 PID 1384 wrote to memory of 1624 1384 omsecor.exe 36 PID 1384 wrote to memory of 1624 1384 omsecor.exe 36 PID 1384 wrote to memory of 1624 1384 omsecor.exe 36 PID 1384 wrote to memory of 1624 1384 omsecor.exe 36 PID 1624 wrote to memory of 1316 1624 omsecor.exe 37 PID 1624 wrote to memory of 1316 1624 omsecor.exe 37 PID 1624 wrote to memory of 1316 1624 omsecor.exe 37 PID 1624 wrote to memory of 1316 1624 omsecor.exe 37 PID 1316 wrote to memory of 2920 1316 omsecor.exe 38 PID 1316 wrote to memory of 2920 1316 omsecor.exe 38 PID 1316 wrote to memory of 2920 1316 omsecor.exe 38 PID 1316 wrote to memory of 2920 1316 omsecor.exe 38 PID 1316 wrote to memory of 2920 1316 omsecor.exe 38 PID 1316 wrote to memory of 2920 1316 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe"C:\Users\Admin\AppData\Local\Temp\bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exeC:\Users\Admin\AppData\Local\Temp\bbabd4ebfd6c8f5f61a32fbd69096592a74d8599583007748a2ffe9604c94832N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD515ca7cfa8985f704fc6c289fb24abfc4
SHA110f811be18b66daa1af1fe162063b26ae41b78bb
SHA256f3ab3663e782611498f1d48f6a126462b530a0d648a6d47b6ae7b77910ee6dd4
SHA5122459fedaab0555dbb65b2bcb048e7332cb837a3c633301a37ec9e39cad0c4011d3a045f15bc0deb6a1d759c69d612799b68322e8a7e84961d83be65f4cb00368
-
Filesize
96KB
MD5cc702d6f28e1995c01082d775c26c4e0
SHA1504387408ebdbb64e2e6abf8010e8b14b2aceeda
SHA256f3923daa68313cfa386f25461d6f7c6d81c20cc1a2c15166284bdfcbb2d170ff
SHA5120357976b14815612c074cc9c01918cd73a4dbba56e3c55751edc4c3798dd79a2a3740e995006198c7c0c355efca8fd2b3ec52e5cfcf02c2c19b6786886502952
-
Filesize
96KB
MD57b4ec8e021b45904432a955c40d2c359
SHA1353618f351e3b4f39ac28ad24514cf28bbe61647
SHA2562f88ad6dfb7316b20359dc21c912ac614027a3ea6c076a4a37f76b19ac74dac1
SHA51255358b503de1da0a9b024ddea78efa7b35d0e7bc23d14e867424ca2587d31c950719e06b389ac302da702a861ec36853ac65409644ea73d6930fad8b92c90463