Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 14:59

General

  • Target

    ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe

  • Size

    72KB

  • MD5

    9b6f5e39e7e1bbd64a96d9767d8816a0

  • SHA1

    e8ed1b06fe1e2081547213cf9167bef9c8ce0126

  • SHA256

    ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2d

  • SHA512

    4de92a4241eaf035dae634e48273f8ae4d17c1b3c44be88096cad0d76a6355a846c1e4978025c34a7d6be7e44cb30932eb5977a99a8c5840ceb4872c6a15e477

  • SSDEEP

    1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211P:bdseIOMEZEyFjEOFqTiQm5l/5211P

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe
    "C:\Users\Admin\AppData\Local\Temp\ed9e6bf71a6c34b217dd971c27921aa460329582047176a0ae44372ee3ceba2dN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4440

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/656/72.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /656/72.html HTTP/1.1
    From: 133815995484480055
    Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?16558h57672c/3d573.371chbdfbc212
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Fri, 17 Jan 2025 15:00:11 GMT
    content-length: 114
  • flag-us
    DNS
    145.243.33.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.243.33.3.in-addr.arpa
    IN PTR
    Response
    145.243.33.3.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/409/608.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /409/608.html HTTP/1.1
    From: 133815995484480055
    Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?16558h57672c/3d573.371chbdfbc212
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 17 Jan 2025 15:00:22 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=94fb36028fb9738bdad75da97e24378c|181.215.176.83|1737126022|1737126022|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    229.198.34.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.198.34.52.in-addr.arpa
    IN PTR
    Response
    229.198.34.52.in-addr.arpa
    IN PTR
    ec2-52-34-198-229 us-west-2compute amazonawscom
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/656/72.html
    http
    omsecor.exe
    466 B
    388 B
    6
    4

    HTTP Request

    GET http://mkkuei4kdsz.com/656/72.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/409/608.html
    http
    omsecor.exe
    467 B
    623 B
    6
    5

    HTTP Request

    GET http://ow5dirasuek.com/409/608.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    156 B
    3
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    145.243.33.3.in-addr.arpa
    dns
    71 B
    127 B
    1
    1

    DNS Request

    145.243.33.3.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

  • 8.8.8.8:53
    229.198.34.52.in-addr.arpa
    dns
    72 B
    135 B
    1
    1

    DNS Request

    229.198.34.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    798a2cc48c80ab1d22197079db8d39bc

    SHA1

    03ee9eeb65c8452d7f8d9ed2f47973099674e275

    SHA256

    7a9705f9aa7b35f0538317b81f64e613d6e393b33715122609a89611168cf73a

    SHA512

    31a14d4329d42f6cf655d704be6e026399fdb021acb2a4c8e20b8f442742c49dd7213e4001417fc42597422d684bb0dca2077c00bfa0c5b50341fe9e7af815c4

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    a843ddbe4db478bb7c3404305737eab0

    SHA1

    2e26eeb05425b4cc5759eef5360b1a0d82d75261

    SHA256

    8033a4f67f819651529979ba6e7fcba5e8f517b5dbef4c5cc598a6ec8ea3dbbe

    SHA512

    86530109b85abbe72ece65ddd9f8ba874413975565b16b6d2d52b873a0efb21d6bcefc6dd6f5da154684af01f338ff5c7588fadf063b8359199ca6cc78149860

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    72KB

    MD5

    5cb4e7e9621fe7eec986a08dd4907d24

    SHA1

    452d3b4025bbd125bffa92fc6288df94ff14027a

    SHA256

    30067fca78fe3bd0a62d018c285d06d3e0b2ee2629655eb2ff193723f0e3edf3

    SHA512

    50b132eed4be6eae90035ae0d1f140c82e8ea0861e647b55f5b66c46bb0b7db81271c9890966b4e5d0f72b78981be1c8854f20f7c172cce31ddabfc2247bfddf

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.