Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-01-2025 22:30
Behavioral task
behavioral1
Sample
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
Resource
win7-20240903-en
General
-
Target
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
-
Size
72KB
-
MD5
63c3eac87a43e1045b78d95d7ec1d2ba
-
SHA1
a7b9d2f39670f3a035484c521487d15d765de400
-
SHA256
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342
-
SHA512
a5b435c60876ee7d87d1efe719b3d3dab4befa82ab35c899a5730a369ac97ddb7a0709502ce7279f1c2d19eb87b6bb1634631869a5ae8a525d61e78e05f34787
-
SSDEEP
1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211H:bdseIOMEZEyFjEOFqTiQm5l/5211H
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2716 omsecor.exe 836 omsecor.exe 1748 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2400 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 2400 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 2716 omsecor.exe 2716 omsecor.exe 836 omsecor.exe 836 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2716 2400 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 30 PID 2400 wrote to memory of 2716 2400 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 30 PID 2400 wrote to memory of 2716 2400 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 30 PID 2400 wrote to memory of 2716 2400 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 30 PID 2716 wrote to memory of 836 2716 omsecor.exe 33 PID 2716 wrote to memory of 836 2716 omsecor.exe 33 PID 2716 wrote to memory of 836 2716 omsecor.exe 33 PID 2716 wrote to memory of 836 2716 omsecor.exe 33 PID 836 wrote to memory of 1748 836 omsecor.exe 34 PID 836 wrote to memory of 1748 836 omsecor.exe 34 PID 836 wrote to memory of 1748 836 omsecor.exe 34 PID 836 wrote to memory of 1748 836 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD57aa684bca2f474d1490c016504595726
SHA18f7390d9883ea1793c3ea05ef3637bb5de55c868
SHA25657b4bf966900d8f0f3a71c070da4ae4eb65588d2c6757b6e74ab5c91febb0acd
SHA512b3035ecaa111e1d1fa4111f3f43f4b30e0d19b184236f6a321ff654f61e561d939911e90e436c043458e208d76ece71cec608081010412758bfeaa114802751a
-
Filesize
72KB
MD52b6b0dcbedf5e9ace7cf6e85afd37c08
SHA1121705f3da88f9817e2bb5dcffe86cc2e878dad4
SHA256d668d6212d91d692e77c26158351426ce279237bb2dae8dabfa929bd818ecfcc
SHA51277d3c402ca40bf56f255a91f091fac6954223987227b11c0318573c45a997880066d0372a2b20818e816aaae7d469dba55eeaf0af0ba462db1c0a6b8532dc45e
-
Filesize
72KB
MD59b70a8dfdee6f97127cf696cb330ef55
SHA14e8bb1788b604f0fa01ab08ac83ff574f343a49a
SHA256f658339fb86fe1d1d352d1cfd122b058d4c5cf3deff1f5624faff074cfe942ab
SHA5129f20cff76eef86acd6cc1c276e470a43d65637f9185ba69baafa5230d09a62620e8cd5b6c596de9a60248b09729020b6f19941986fdc5e72b4ae58505c4f466b