Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 22:34 UTC
Behavioral task
behavioral1
Sample
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
Resource
win7-20240903-en
General
-
Target
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
-
Size
72KB
-
MD5
63c3eac87a43e1045b78d95d7ec1d2ba
-
SHA1
a7b9d2f39670f3a035484c521487d15d765de400
-
SHA256
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342
-
SHA512
a5b435c60876ee7d87d1efe719b3d3dab4befa82ab35c899a5730a369ac97ddb7a0709502ce7279f1c2d19eb87b6bb1634631869a5ae8a525d61e78e05f34787
-
SSDEEP
1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211H:bdseIOMEZEyFjEOFqTiQm5l/5211H
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 3020 omsecor.exe 1532 omsecor.exe 292 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2516 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 2516 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 3020 omsecor.exe 3020 omsecor.exe 1532 omsecor.exe 1532 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2516 wrote to memory of 3020 2516 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 30 PID 2516 wrote to memory of 3020 2516 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 30 PID 2516 wrote to memory of 3020 2516 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 30 PID 2516 wrote to memory of 3020 2516 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 30 PID 3020 wrote to memory of 1532 3020 omsecor.exe 33 PID 3020 wrote to memory of 1532 3020 omsecor.exe 33 PID 3020 wrote to memory of 1532 3020 omsecor.exe 33 PID 3020 wrote to memory of 1532 3020 omsecor.exe 33 PID 1532 wrote to memory of 292 1532 omsecor.exe 34 PID 1532 wrote to memory of 292 1532 omsecor.exe 34 PID 1532 wrote to memory of 292 1532 omsecor.exe 34 PID 1532 wrote to memory of 292 1532 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:292
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A15.197.204.56mkkuei4kdsz.comIN A3.33.243.145
-
Remote address:15.197.204.56:80RequestGET /393/138.html HTTP/1.1
From: 133817996902902000
Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6451aoe|A07f4<h084a;i34je;<2<j3if2h<0d69:
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Sun, 19 Jan 2025 22:35:54 GMT
content-length: 114
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /349/715.html HTTP/1.1
From: 133817996902902000
Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6451aoe|A07f4<h084a;i34je;<2<j3if2h<0d69:
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 19 Jan 2025 22:36:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=55b0d037ab8410b200445bd1c662eae6|181.215.176.83|1737326164|1737326164|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:15.197.204.56:80RequestGET /779/949.html HTTP/1.1
From: 133817996902902000
Via: goqjiuq^uiv@;08bcrhe@9^serdq=4403435bovA6451aoe|A07f4<h084a;i34je;<2<j3if2h<0d69:
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Sun, 19 Jan 2025 22:37:17 GMT
content-length: 114
-
152 B 3
-
152 B 3
-
519 B 644 B 7 5
HTTP Request
GET http://mkkuei4kdsz.com/393/138.htmlHTTP Response
200 -
421 B 623 B 5 5
HTTP Request
GET http://ow5dirasuek.com/349/715.htmlHTTP Response
200 -
152 B 3
-
152 B 3
-
381 B 604 B 4 4
HTTP Request
GET http://mkkuei4kdsz.com/779/949.htmlHTTP Response
200
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
15.197.204.563.33.243.145
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5c86e4bd678490701b4cf87749fec8249
SHA1895fc35ce5a384882111a376a630b227876ea605
SHA256d3cf8a0a47d7e3d1cdd370acb551753bb4b69b389242a1673ded2170dde8bb21
SHA512356db7fc3b604dcefd26cba1fe194a06895c34b95af3ea9356c978848ca8d04377542489dcea51ae3f35fe53efa587bf125b776cc915e646aeccc935302a7a72
-
Filesize
72KB
MD57aa684bca2f474d1490c016504595726
SHA18f7390d9883ea1793c3ea05ef3637bb5de55c868
SHA25657b4bf966900d8f0f3a71c070da4ae4eb65588d2c6757b6e74ab5c91febb0acd
SHA512b3035ecaa111e1d1fa4111f3f43f4b30e0d19b184236f6a321ff654f61e561d939911e90e436c043458e208d76ece71cec608081010412758bfeaa114802751a
-
Filesize
72KB
MD5ce39eb2f7327acbcbb7815b9e0d79206
SHA19a6725664e2e4f6a794de10347714b18b54f376b
SHA256cc8ec9112c487084125047cb0e091dac09bb6536e8e53f4ea367a0af52a70b8d
SHA5128516412261d9385ed4b6e25ada87d4266a3b98312703a31786899131a833a34fc54966750edbd0dd935920ecac23e9a98e2edd78da2249604a58ec3a98cf59de