Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2025 05:33
Static task
static1
Behavioral task
behavioral1
Sample
5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
Resource
win7-20240903-en
General
-
Target
5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe
-
Size
96KB
-
MD5
f89d8b35e56a6926f3c5d25275bc8910
-
SHA1
099635ff50bfe326939885dbb18e6e49ffecd519
-
SHA256
5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86
-
SHA512
f1170e262bddfefb3681c5acfd9b6458ad4385719700739e5280ee861223ea25e41ecb09ce215c61ddd254af4215599c532a7f4bd313049bd4af6a0cfe9f4522
-
SSDEEP
1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxx:EGs8cd8eXlYairZYqMddH13x
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1260 omsecor.exe 3424 omsecor.exe 4748 omsecor.exe 4856 omsecor.exe 4412 omsecor.exe 1436 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2600 set thread context of 272 2600 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 85 PID 1260 set thread context of 3424 1260 omsecor.exe 90 PID 4748 set thread context of 4856 4748 omsecor.exe 110 PID 4412 set thread context of 1436 4412 omsecor.exe 114 -
Program crash 4 IoCs
pid pid_target Process procid_target 1788 2600 WerFault.exe 84 3504 1260 WerFault.exe 88 4492 4748 WerFault.exe 109 1852 4412 WerFault.exe 112 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2600 wrote to memory of 272 2600 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 85 PID 2600 wrote to memory of 272 2600 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 85 PID 2600 wrote to memory of 272 2600 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 85 PID 2600 wrote to memory of 272 2600 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 85 PID 2600 wrote to memory of 272 2600 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 85 PID 272 wrote to memory of 1260 272 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 88 PID 272 wrote to memory of 1260 272 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 88 PID 272 wrote to memory of 1260 272 5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe 88 PID 1260 wrote to memory of 3424 1260 omsecor.exe 90 PID 1260 wrote to memory of 3424 1260 omsecor.exe 90 PID 1260 wrote to memory of 3424 1260 omsecor.exe 90 PID 1260 wrote to memory of 3424 1260 omsecor.exe 90 PID 1260 wrote to memory of 3424 1260 omsecor.exe 90 PID 3424 wrote to memory of 4748 3424 omsecor.exe 109 PID 3424 wrote to memory of 4748 3424 omsecor.exe 109 PID 3424 wrote to memory of 4748 3424 omsecor.exe 109 PID 4748 wrote to memory of 4856 4748 omsecor.exe 110 PID 4748 wrote to memory of 4856 4748 omsecor.exe 110 PID 4748 wrote to memory of 4856 4748 omsecor.exe 110 PID 4748 wrote to memory of 4856 4748 omsecor.exe 110 PID 4748 wrote to memory of 4856 4748 omsecor.exe 110 PID 4856 wrote to memory of 4412 4856 omsecor.exe 112 PID 4856 wrote to memory of 4412 4856 omsecor.exe 112 PID 4856 wrote to memory of 4412 4856 omsecor.exe 112 PID 4412 wrote to memory of 1436 4412 omsecor.exe 114 PID 4412 wrote to memory of 1436 4412 omsecor.exe 114 PID 4412 wrote to memory of 1436 4412 omsecor.exe 114 PID 4412 wrote to memory of 1436 4412 omsecor.exe 114 PID 4412 wrote to memory of 1436 4412 omsecor.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe"C:\Users\Admin\AppData\Local\Temp\5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exeC:\Users\Admin\AppData\Local\Temp\5b6afba70a8d5691416db3cbb1c9b2a17796f271903875ad4f2d7df77278bd86N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 2568⤵
- Program crash
PID:1852
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 2926⤵
- Program crash
PID:4492
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 2884⤵
- Program crash
PID:3504
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 2882⤵
- Program crash
PID:1788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2600 -ip 26001⤵PID:3244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1260 -ip 12601⤵PID:1720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4748 -ip 47481⤵PID:2332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4412 -ip 44121⤵PID:4988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e2c6c323b01a2c066d6aa28234e3b001
SHA1dd34d0348aa0e6833bdd104db6004bc03dfd5221
SHA25620135628e2cf16d154bf8863e4118432718137b81f97d888e4c4bed9a9dc8d28
SHA5129bb99cc75d3ecabd53db8d5a56b1604f2b322e1b1d8ffab3b206e67f30b469f5e74e47857c8722131b81a46143e8c213d824c5a3884143c1fca26e6e1e5c4851
-
Filesize
96KB
MD537e6cc476d80005c1ee8afc5597979e9
SHA1a1ea8e29148351d4882b09726409d2e29d23abed
SHA256d584be439a9f62f1d3df2a2250058d9fba164e6dbc039fd8176e66a68d85825e
SHA512fcdb88e740d190fd29af36cfc5e1d4f6a51f4b40c88054cf7e7131a4286ff42843e5959e4a4bac4f2b15037f5e30d55f944cb9afee9e9f3b3a39b0ef51775f6e
-
Filesize
96KB
MD576dfd34b070a7942a03637db19bfadc2
SHA1f3c5c9047061aa112061741c5a368fa67245320e
SHA25665bc864f27418f0705868240cb0de8ff15aa744400e64f59cec68a40688ef145
SHA51272d50ac385860085eb5fb7542c96247b8399f226c1f6d05a0090c5906bc79fe3a030dc9c84757160aa51078df69fc9e98834a3b876ffd2089fea6d1a222e0c05