Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2025 14:59
Behavioral task
behavioral1
Sample
ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe
Resource
win7-20240903-en
General
-
Target
ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe
-
Size
72KB
-
MD5
9b6f5e39e7e1bbd64a96d9767d8816a0
-
SHA1
e8ed1b06fe1e2081547213cf9167bef9c8ce0126
-
SHA256
ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2d
-
SHA512
4de92a4241eaf035dae634e48273f8ae4d17c1b3c44be88096cad0d76a6355a846c1e4978025c34a7d6be7e44cb30932eb5977a99a8c5840ceb4872c6a15e477
-
SSDEEP
1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211P:bdseIOMEZEyFjEOFqTiQm5l/5211P
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4152 omsecor.exe 2916 omsecor.exe 4440 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1184 wrote to memory of 4152 1184 ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe 83 PID 1184 wrote to memory of 4152 1184 ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe 83 PID 1184 wrote to memory of 4152 1184 ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe 83 PID 4152 wrote to memory of 2916 4152 omsecor.exe 100 PID 4152 wrote to memory of 2916 4152 omsecor.exe 100 PID 4152 wrote to memory of 2916 4152 omsecor.exe 100 PID 2916 wrote to memory of 4440 2916 omsecor.exe 101 PID 2916 wrote to memory of 4440 2916 omsecor.exe 101 PID 2916 wrote to memory of 4440 2916 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe"C:\Users\Admin\AppData\Local\Temp\ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /656/72.html HTTP/1.1
From: 133815995484480055
Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?16558h57672c/3d573.371chbdfbc212
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Fri, 17 Jan 2025 15:00:11 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request145.243.33.3.in-addr.arpaIN PTRResponse145.243.33.3.in-addr.arpaIN PTRa3edc0dabdef92d6dawsglobalacceleratorcom
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /409/608.html HTTP/1.1
From: 133815995484480055
Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?16558h57672c/3d573.371chbdfbc212
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Fri, 17 Jan 2025 15:00:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=94fb36028fb9738bdad75da97e24378c|181.215.176.83|1737126022|1737126022|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request229.198.34.52.in-addr.arpaIN PTRResponse229.198.34.52.in-addr.arpaIN PTRec2-52-34-198-229 us-west-2compute amazonawscom
-
260 B 5
-
260 B 5
-
466 B 388 B 6 4
HTTP Request
GET http://mkkuei4kdsz.com/656/72.htmlHTTP Response
200 -
467 B 623 B 6 5
HTTP Request
GET http://ow5dirasuek.com/409/608.htmlHTTP Response
200 -
260 B 5
-
156 B 3
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
71 B 127 B 1 1
DNS Request
145.243.33.3.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
-
72 B 135 B 1 1
DNS Request
229.198.34.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5798a2cc48c80ab1d22197079db8d39bc
SHA103ee9eeb65c8452d7f8d9ed2f47973099674e275
SHA2567a9705f9aa7b35f0538317b81f64e613d6e393b33715122609a89611168cf73a
SHA51231a14d4329d42f6cf655d704be6e026399fdb021acb2a4c8e20b8f442742c49dd7213e4001417fc42597422d684bb0dca2077c00bfa0c5b50341fe9e7af815c4
-
Filesize
72KB
MD5a843ddbe4db478bb7c3404305737eab0
SHA12e26eeb05425b4cc5759eef5360b1a0d82d75261
SHA2568033a4f67f819651529979ba6e7fcba5e8f517b5dbef4c5cc598a6ec8ea3dbbe
SHA51286530109b85abbe72ece65ddd9f8ba874413975565b16b6d2d52b873a0efb21d6bcefc6dd6f5da154684af01f338ff5c7588fadf063b8359199ca6cc78149860
-
Filesize
72KB
MD55cb4e7e9621fe7eec986a08dd4907d24
SHA1452d3b4025bbd125bffa92fc6288df94ff14027a
SHA25630067fca78fe3bd0a62d018c285d06d3e0b2ee2629655eb2ff193723f0e3edf3
SHA51250b132eed4be6eae90035ae0d1f140c82e8ea0861e647b55f5b66c46bb0b7db81271c9890966b4e5d0f72b78981be1c8854f20f7c172cce31ddabfc2247bfddf